Although the bootkit ecosystem is fortunately not overly populated , the appearance of new threats like MoonBounce is undoubtedly bad news, as this type of threat is particularly persistent. In case you don’t know what it is, a bootkit is a kind of rootkit that is installed in the system startup process, which gives you full control of the system from the very start, even before the operating system loads. What does this mean? Well, they persist even if the operating system is reinstalled.
Added to their persistence is the fact that, due to their location, they go unnoticed by many security solutions, which do not explore that specific region of the systems. As you can imagine, developing a pathogen of this type is somewhat complex, so when something new appears, as is the case with MoonBounce, a key factor is to find out who can be found behind it, both to try to find out its intentions, and to take advantage of the knowledge of said group to work on a solution for said threat.
Such is the case of MoonBounce, a new firmware bootkit detected in the wild by Kaspersky, and which hides within the UEFI firmware of affected computers. A bootkit that, according to the security firm’s researchers, shows considerably more complexity than other types of similar pathogens detected in the past, which would make MoonBounce the most complex bootkit seen to date. The malware and the campaigns carried out with it would be signed, according to Kaspersky, by the well-known Chinese group APT41.
MoonBounce was first detected in the spring of 2021 by Kaspersky’s firmware scanner, one of the tools included in its security solutions, and upon analysis, researchers determined that the malware installed in the CORE_DXE component of the firmware, which is used in an early phase of the UEFI boot sequence and, from this initial step, intercepts various system functions, while communicating with its command and control server, which of course could not be otherwise In this way, it initiates the download of the various payloads that will determine the behavior of the malware on the system.
MoonBounce: on the dark side of the moon of the system
To make it more difficult to trace, MoonBounce significantly reduces its footprint by leaving no trace on the hard drive of the attacked system. All its operations are carried out exclusively in memory , making it impossible for forensic analysis to detect the malicious payloads downloaded and used by the pathogen. This is the reason why early detection, based on the analysis of the system’s firmware, is a key element to prevent the threat it poses.
During their tests, the company’s researchers detected several previously known malicious payloads, such as ScrambleCross, Mimikat_ssp, and Microcin, among others, demonstrating MoonBounce’s strong attack capabilities once it has managed to infect a system. Analyzing its behavior, the researchers also found several elements specifically aimed at carrying out more subtle and stealthy attacks.
The combination provided by the actions and complexity of MoonBounce, added to its more than likely authorship by APT41, leads the researchers to the conclusion that its main goals are lateral movement and data exfiltration, from which we can infer that their main objective is organizations, whether public or private, and that espionage is their main mission . And one more key in this regard is that the sample detected so far was found in a system integrated into the infrastructure of a group dedicated to high technology.
«Perhaps most importantly, this latest UEFI bootkit shows notable advances compared to MosaicRegressor, which we reported on in 2020. Transforming a previously benign core component in the firmware to one that can make it easier to deploy malware on the system is an innovation that has not been seen in previous “in the wild” firmware bootkits and makes the threat much more stealthy.
We already predicted in 2018 that UEFI threats would gain in popularity, and this trend seems to be materializing. We wouldn’t be surprised to see more bootkits in 2022. Fortunately, vendors have started to pay more attention to firmware attacks, and more firmware security technologies such as BootGuard and Trusted Platform Modules are gradually being adopted,” says Mark Lechtik, researcher senior security officer of Kaspersky’s Global Research and Analysis Team (GReAT).
“Although we cannot definitively link the additional malware implants found during our investigation to MoonBounce specifically, it appears that some Chinese-speaking threat actors are sharing tools with each other to aid in their various campaigns; especially there seems to be a low-trust connection between MoonBounce and Microcin ,” adds Denis Legezo, senior security researcher at GREaT.
