Jump to content

MoonBounce

From Wikipedia, the free encyclopedia

MoonBounce is a UEFI firmware-based rootkit. It is linked to Chinese APT41 hacker group. MoonBounce was discovered by the researchers at Kaspersky in 2021.[1] It can disable Windows security tools and bypass User Account Control.[2]

The data shows that the attacks are highly targeted.[3] It is a landmark in a UEFI rootkit evolution.[4] It is the third known malware UEFI bootkit found.

Infection

[edit]

Kaspersky has detected the firmware rootkit in only one case so they didn't reveal much about its infection method. It is believed that it had been installed remotely.[5]

The SPI flash memory on the motherboard is the implanting location. CORE_DXE is the firmware laced component which is used during the first phases of the UEFI boot sequence. It hooks EFI Boot Services functions and inject more malware into a svchost.exe process during boot.[6]

It resides on a low level portion of the hard drive. It operates in memory only which makes it undetectable on the HDD.[7]

References

[edit]
  1. ^ "New MoonBounce UEFI malware used by APT41 in targeted attacks". BleepingComputer. Archived from the original on 2023-01-17. Retrieved 2024-03-21.
  2. ^ Yusaf, Mansoor (2023-09-18). "MoonBounce UEFI Bootkit Malware". Propelex. Archived from the original on 2023-09-25. Retrieved 2024-03-21.
  3. ^ CG (2022-02-06). 電腦1週: PCStation Issue 1109 (in Chinese). Creative Games Limited.
  4. ^ Olyniychuk, Daryna (2023-03-14). "BlackLotus UEFI Bootkit Detection: Exploits CVE-2022-21894 to Bypass UEFI Secure Boot and Disables OS Security Mechanisms". SOC Prime. Archived from the original on 2023-03-31. Retrieved 2024-03-21.
  5. ^ Paulina, Adam (2023-11-14). "Running Malware Below the OS - The State of UEFI Firmware Exploitation". Binary Defense. Archived from the original on 2023-12-09. Retrieved 2024-03-21.
  6. ^ "MoonBounce: the dark side of UEFI firmware". securelist.com. 2022-01-20. Archived from the original on 2024-02-01. Retrieved 2024-03-21.
  7. ^ Yurchenko, Alla (2022-01-25). "The Most Refined UEFI Firmware Implant: MoonBounce Detection". SOC Prime. Archived from the original on 2023-06-03. Retrieved 2024-03-21.