A previously undocumented firmware implant deployed to maintain stealthy persistence as part of a targeted espionage campaign is associated with the Chinese-speaking Winnti Advanced Persistent Threat Group (APT41).
Kaspersky, codenamed rootkit moon bounce, representation The malware is “the most advanced UEFA Firmware implants found so far in the wild,” adding, “the purpose of the implants is to facilitate the deployment of user-mode malware that executes further payloads downloaded from the Internet in stages. “
Once rare in the threat landscape, firmware-based rootkits are fast becoming lucrative tools among established players, helping to gain a long-term foothold in a way that is not only difficult to detect but also difficult to remove.
The first firmware-level rootkit, known as LoJax, was discovered in the wild in 2018. Since then, three different instances of UEFI malware have been discovered so far, including MosaicRegressor, FinFisher, and ESPector.
MoonBounce is worrying for many reasons. Unlike FinFisher and ESPector for EFI system partitions (ESP), the newly discovered rootkit (similar to LoJax and MosaicRegressor) targets SPI flash, non-volatile memory external to the hard drive.
This highly persistent bootkit malware is placed in SPI flash storage soldered to the computer’s motherboard, so there’s no way to effectively get rid of it by replacing the hard drive, or even reinstalling the operating system.
The Russian cybersecurity firm said it discovered the firmware rootkit in an incident last year, suggesting the attack was highly targeted. That said, the exact mechanism by which UEFI firmware is infected remains unclear.
Adding to its secrecy is the fact that existing firmware components were tampered with to alter their behavior – rather than adding new drivers to the image – with the aim of diverting the execution flow of the boot sequence into a malicious “chain of infection” injected into user mode during system startup The malware then reaches a hardcoded remote server to retrieve the next stage payload.
“The infection chain itself does not leave any traces on the hard drive, as its components only run in memory, facilitating a small footprint fileless attack,” the researchers noted, adding that it has no effect on the target Other non-UEFI implants were found in the network communicating with the same infrastructure hosting the staging payload.
The main components deployed on multiple nodes in the network include a backdoor tracked as ScrambleCross (aka Crosswalk) and some post-exploitation malware implants, suggesting that attackers perform lateral movement after gaining initial access in order to from a specific machine.
To deal with such firmware level modifications, it is recommended to update the UEFI firmware regularly and enable protections such as Guide the Guardian, Secure Boot, and the Trust Platform Module (TPM).
“MoonBounce marks a particular evolution of this group of threats, presenting a more sophisticated attack flow than its predecessors, and its authors have a higher level of technical proficiency, they have demonstrated an understanding of what is involved in the UEFI boot process A thorough understanding of finer details,” the researchers said.
