Kaspersky researchers found that firmware bootkit MoonBounce hides in one of the computer’s essential parts: Unified Extensible Firmware Interface (UEFI) firmware.
According to the cybersecurity solutions company, MoonBounce was first detected in 2021 and demonstrated a sophisticated attack flow, with evident advancement in comparison to formerly reported UEFI firmware bootkits. It was linked to well-known advanced persistent threat (APT) actor APT41.
According to Kaspersky, MoonBounce is only the third reported UEFI bootkit found in the wild that has been found using the firm’s Firmware Scanner. When compared to the two previously discovered bootkits, LoJax and MosaicRegressor, MoonBounce has a more complicated attack flow and greater technical sophistication.
Kaspersky researchers explained that the implant rests in the CORE_DXE component of the firmware, which is called upon early during the UEFI boot sequence. Then, through a series of hooks that intercept certain functions, the implant’s components make their way into the operating system, where they reach out to a command and control server in order to retrieve further malicious payloads, which we were unable to retrieve. It’s worth noting that the infection chain itself does not leave any traces on the hard drive, as its components operate in memory only, thus facilitating a fileless attack with a small footprint.
While analyzing MoonBounce, Kaspersky researchers uncovered several malicious loaders and post-exploitation malware across several nodes of the same network. This includes ScrambleCross or Sidewalk, an in-memory implant that can communicate to a C2 server to exchange information and execute additional plugins, Mimikat_ssp, a publicly available post-exploitation tool used to dump credentials and security secrets, a formerly unknown Golang based backdoor, and Microcin, malware that is typically used by the SixLittleMonkeys threat actor.
The exact infection vector remains unknown, however, it is assumed that the infection occurs through remote access to the targeted machine. In addition, while LoJax and MosaicRegressor utilized additions of DXE drivers, MoonBounce modifies an existing firmware component for a more subtle and stealthier attack.
In the overall campaign against the network in question, it was evident that the attackers carried out a wide range of actions, such as archiving files and gathering network information. Commands used by attackers throughout their activity suggest they were interested in lateral movement and exfiltration of data, and, given that a UEFI implant was used, it is likely the attackers were interested in conducting ongoing espionage activity.
Kaspersky researchers have attributed MoonBounce with considerable confidence to APT41, which has been widely reported to be a Chinese-speaking threat actor that’s conducted cyberespionage and cybercrime campaigns around the world since at least 2012. In addition, the existence of some of the aforementioned malware in the same network suggests a possible connection between APT41 and other Chinese-speaking threat actors.
So far, the firmware bootkit has only been found in a single case. However, other affiliated malicious samples (e.g. ScrambleCross and its loaders) have been found on the networks of several other victims.
In order to stay protected from UEFI bootkits like MoonBounce, Kaspersky recommends:
- Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over more than 20 years.
- For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions, such as Kaspersky Endpoint Detection and Response.
- Use a robust endpoint security product that can detect the use of firmware, such as Kaspersky Endpoint Security for Business.
- Regularly update your UEFI firmware and only use firmware from trusted vendors.
- Enable Secure Boot by default, notably BootGuard and TPMs where applicable