• About
  • Advertise
  • Careers
  • Contact Us
Wednesday, June 25, 2025
  • Login
No Result
View All Result
NEWSLETTER
Tech | Business | Economy
  • News
  • Tech
    • DisruptiveTECH
    • ConsumerTech
    • How To
    • TechTAINMENT
  • Business
    • Telecoms
    • Mobility
    • Environment
    • Travel
    • StartUPs
      • Chidiverse
    • TE Insights
    • Security
  • Partners
  • Economy
    • Finance
    • Fintech
    • Digital Assets
    • Personal Finance
    • Insurance
  • Features
    • IndustryINFLUENCERS
    • Guest Writer
    • EventDIARY
    • Editorial
    • Appointment
  • TECHECONOMY TV
  • Apply
  • TBS
  • BusinesSENSE For SMEs
  • Chidiverse
  • News
  • Tech
    • DisruptiveTECH
    • ConsumerTech
    • How To
    • TechTAINMENT
  • Business
    • Telecoms
    • Mobility
    • Environment
    • Travel
    • StartUPs
      • Chidiverse
    • TE Insights
    • Security
  • Partners
  • Economy
    • Finance
    • Fintech
    • Digital Assets
    • Personal Finance
    • Insurance
  • Features
    • IndustryINFLUENCERS
    • Guest Writer
    • EventDIARY
    • Editorial
    • Appointment
  • TECHECONOMY TV
  • Apply
  • TBS
  • BusinesSENSE For SMEs
  • Chidiverse
No Result
View All Result
Tech | Business | Economy
No Result
View All Result
Home Business Security

MoonBounce: Third known firmware bootkit shows major advancement

by Yinka Okeowo
January 26, 2022
in Security
0
UBA
Advertisements

Kaspersky’s researchers have uncovered the third case of a firmware bootkit in the wild. Dubbed MoonBounce, this malicious implant is hidden within a computer’s Unified Extensible Firmware Interface (UEFI) firmware, an essential part of computers, in the SPI flash, a storage component external to the hard drive.

Such implants are notoriously difficult to remove and are of limited visibility to security products.

Having first appeared in the wild in the northern Spring of 2021, MoonBounce demonstrates a sophisticated attack flow, with evident advancement in comparison to formerly reported UEFI firmware bootkits.

The campaign has been attributed with considerable confidence to the well-known advanced persistent threat (APT) actor APT41.

UEFI firmware is a critical component in the vast majority of machines; its code is responsible for booting up the device and passing control to the software that loads the operating system.

This code rests in what’s called SPI flash, a non-volatile storage external to the hard disk. If this firmware contains malicious code, then this code will be launched before the operating system, making malware implanted by a firmware bootkit especially difficult to delete; it can’t be removed simply by reformatting a hard drive or reinstalling an OS.

What’s more, because the code is located outside of the hard drive, such bootkits’ activity go virtually undetected by most security solutions unless they have a feature that specifically scans this part of the device.

MoonBounce is only the third reported UEFI bootkit found in the wild. It appeared in the northern Spring of 2021 and was first discovered by Kaspersky researchers when looking at the activity of their Firmware Scanner, which has been included in Kaspersky products since the beginning of 2019 to specifically detect threats hiding in the ROM BIOS, including UEFI firmware images.

When compared to the two previously discovered bootkits, LoJax and MosaicRegressor, MoonBounce demonstrates significant advancement with a more complicated attack flow and greater technical sophistication.

The implant rests in the CORE_DXE component of the firmware, which is called upon early during the UEFI boot sequence.

Then, through a series of hooks that intercept certain functions, the implant’s components make their way into the operating system, where they reach out to a command & control server in order to retrieve further malicious payloads, which we were unable to retrieve.

It’s worth noting that the infection chain itself does not leave any traces on the hard drive, as its components operate in memory only, thus facilitating a fileless attack with a small footprint.

While investigating MoonBounce, Kaspersky researchers uncovered several malicious loaders and post-exploitation malware across several nodes of the same network.

This includes ScrambleCross or Sidewalk, an in-memory implant that can communicate to a C2 server to exchange information and execute additional plugins, Mimikat_ssp, a publicly available post-exploitation tool used to dump credentials and security secrets, a formerly unknown Golang based backdoor, and Microcin, malware that is typically used by the SixLittleMonkeys threat actor.

It could be that MoonBounce downloads these pieces of malware or that previous infection by one of these pieces of malware serves as way of compromising the machine so that MoonBounce can gain a foothold in the network.

Another possible infection method for MoonBounce would be if the machine was compromised before it was supplied to the target company. In either case, it is assessed that the infection occurs through remote access to the targeted machine.

In addition, while LoJax and MosaicRegressor utilised additions of DXE drivers, MoonBounce modifies an existing firmware component for a more subtle and stealthier attack.

In the overall campaign against the network in question, it was evident that the attackers carried out a wide range of actions, such as archiving files and gathering network information.

Commands used by attackers throughout their activity suggest they were interested in lateral movement and exfiltration of data, and, given that a UEFI implant was used, it is likely the attackers were interested in conducting ongoing espionage activity.

Kaspersky has attributed MoonBounce with considerable confidence to APT41, which has been widely reported to be a Chinese-speaking threat actor that’s conducted cyberespionage and cybercrime campaigns around the world since at least 2012.

In addition, the existence of some of the aforementioned malware in the same network suggests a possible connection between APT41 and other Chinese-speaking threat actors.

So far, the firmware bootkit has only been found on a single machine for a holding company in the high-tech market; however, other affiliated malicious samples (e.g. ScrambleCross and its loaders) have been found on the networks of several other victims.

“While we can’t definitely connect the additional malware implants found during our investigation with MoonBounce specifically, it does appear as if some Chinese-speaking threat actors are sharing tools with one other to aid in their various campaigns; there especially seems to be a low confidence connection between MoonBounce and Microcin,” adds Denis Legezo, senior security researcher with GReAT.

“Perhaps more importantly, this latest UEFI bootkit shows same notable advancements when compared to MosaicRegressor, which we reported on back in 2020. In fact, transforming a previously benign core component in firmware to one that can facilitate malware deployment on the system is an innovation that was not seen in previous comparable firmware bootkits in the wild and makes the threat far stealthier. We predicted back in 2018 that UEFI threats would gain in popularity, and this trend does appear to be materialising. We would not be surprised to find additional bootkits in 2022. Fortunately, vendors have begun paying more attention to firmware attacks, and more firmware security technologies, such as BootGuard and Trusted Platform Modules, are gradually being adopted,” comments Mark Lechtik, senior security researcher with the Global Research and Analysis Team (GReAT) at Kaspersky.

Loading

Advertisements
MTN ADS

Author

  • Yinka Okeowo
    Yinka Okeowo

    View all posts
0Shares
Tags: Kaspersky researchersmalwareMoonBounce
Yinka Okeowo

Yinka Okeowo

Next Post

Entrepreneurship . Innovation . Technology: Canon EMEA and UN Women take educational workshops to Libya

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recommended

Volkswagen In-Car PAC-MAN Championship

Volkswagen Levels Up In-Car Entertainment with Exclusive PAC-MAN Championship Edition

2 months ago
Meta Creator Lab Live in Nigeria

Meta (Nigeria) Creator Lab Live in Lenses

2 years ago

Popular News

    Connect with us

    • About
    • Advertise
    • Careers
    • Contact Us

    © 2025 TECHECONOMY.

    No Result
    View All Result
    • News
    • Tech
      • DisruptiveTECH
      • ConsumerTech
      • How To
      • TechTAINMENT
    • Business
      • Telecoms
      • Mobility
      • Environment
      • Travel
      • StartUPs
        • Chidiverse
      • TE Insights
      • Security
    • Partners
    • Economy
      • Finance
      • Fintech
      • Digital Assets
      • Personal Finance
      • Insurance
    • Features
      • IndustryINFLUENCERS
      • Guest Writer
      • EventDIARY
      • Editorial
      • Appointment
    • TECHECONOMY TV
    • Apply
    • TBS
    • BusinesSENSE For SMEs

    © 2025 TECHECONOMY.

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In
    Translate »
    This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.