New UEFI Bootkit called MoonBounce

Researchers have discovered a sophisticated new type of malware that targets UEFI and its called MoonBounce. The Bootkit or also known as rootkit malware is suspected to be associated with (advanced persistent threat 41). APT41 is a group of hackers who have been robbing businesses for many years.

Researchers at Kaspersky Labs discovered a new type of malware. This is the third known type that infects UEFI firmware. The first two types were FinFisher and ESPecter.

  • The malware is injected into the SPI flash part of the motherboard, signifying that it cannot be removed even after hard disk replacement.
  • The injection is stored in the CORE_DXE component, which is called during the early boot sequence of UEFI.
  • Once the MoonBounce rootkit malware makes its way inside the OS, it may reach out to a server to obtain further payloads.
  • Additionally, the infection chain does not leave any evidence and works entirely in memory, facilitating a fileless attack.

The main goal of attackers is to establish a foothold within the network and steal sensitive information. The attacks were highly targeted in nature and only a single firm found the firmware rootkit, whereas multiple other malware samples were found in other victims’ machines.

The MoonBounce is a dangerous, advanced threat. So, researchers recommend turning on Secure Boot and updating your firmware regularly. You should also verify that BootGuard is enabled and enable the TPM.

I hope this article was helpful, if you have any questions, please feel free to contact me. If you would like to be notified of when I create a new post, you can subscribe to my blog alert.

Leave a Comment

8 + 1 =