Kaspersky researchers believe that the MoonBounce malware is exploited by APT41.
Also called Winnti, it is a group of Chinese hackers known for attacks on software supply chains (CCleaner, Asus) and active for at least a decade.
State-of-the-art firmware
MoonBounce is the "most advanced" UEFI firmware implant discovered to date, according to security analysts.
UEFI, for Unified Extensible Firmware Interface, is a technical specification that helps operating systems and firmware to interface in computers.
Clearly, it is a low-level software that launches as soon as the user starts his PC.
It replaces the BIOS on computer motherboards since 2012.
But beware, hackers have found a way to implant malicious code in this firmware, the “UEFI bootkit”.
A manipulation that allows them to interfere in a PC, while remaining hidden from antivirus and any security tool operating at the operating system level.
To camouflage themselves, these tools hijack the boot sequence and initialize before the security components of the operating system.
Most often they nest in areas that cannot be erased.
For example, in the MoonBounce case, the implant location is on the motherboard's SPI flash memory.
A location that makes it invincible, even in the event of a hard drive replacement.
MoonBounce Malware
In MoonBounce, the malicious code is embedded in an existing firmware module (CORE_DXE).
It is therefore subtle and difficult to detect.
Once infected, the system is completely under the control of the hackers.
At the time of PC startup, MoonBounce creates a malicious driver in Windows kernel memory space.
A first step that allows hackers to inject malware into the svchost.exe (Host Process for Windows Services) system process.
That is, as soon as the computer starts up, MoonBounce has already nested and is running in the background.
These malwares then connect to command and control (C&C) servers to download and install other malware.
APT41 targets
While the US Department of Justice identified and indicted five members of APT41 in September 2020, the existence of MoonBounce and proves that cybercriminals have not been deterred by legal pressure.
According to the Kaspersky report, the organization controls several companies active in the field of transport technologies.
The main objective of the group of cybercriminals is to gain a permanent foothold in the network and carry out cyber espionage actions by exfiltrating valuable data.
Kaspersky tips
Kaspersky researchers still haven't figured out how the malware manages to affect the UEFI firmware.
In the meantime, the team provides some advice.
Kaspersky recommends updating its UEFI firmware directly from the manufacturer.
The company also suggests making sure BootGuard is enabled.
Enabling Trust Platform Modules can provide additional protection.
Finally, Kaspersky recommends using a security solution that scans the system's firmware.
A way to detect problems and take action if UEFI malware is detected.
high tech
BotenaGo: This malware infects routers and connected objects
high tech
Belarus: Hackers Infect Public Railway Company and Demand Release of Political Prisoners
hacker
computer
Computer virus
Computer science
Cybersecurity
cyberattack
high tech
0 comment
0 share
Share on Messenger
Share on Facebook
Share on Twitter
Share on Flipboard
Share on Pinterest
Share on Linkedin
Send by Mail
To safeguard
A fault ?
To print