MoonBounce

MoonBounce is a UEFI firmware-based rootkit. It is linked to Chinese APT41 hacker group. MoonBounce was discovered by the researchers at Kaspersky in 2021.^[1] It can disable Windows security tools and bypass User Account Control.^[2]

The data shows that the attacks are highly targeted.^[3] It is a landmark in a UEFI rootkit evolution.^[4] It is the third known malware UEFI bootkit found.

Infection[edit]

Kaspersky has detected the firmware rootkit in only one case so they didn't reveal much about its infection method. It is believed that it had been installed remotely.^[5]

The SPI flash memory on the motherboard is the implanting location. CORE_DXE is the firmware laced component which is used during the first phases of the UEFI boot sequence. It hooks EFI Boot Services functions and inject more malware into a svchost.exe process during boot.^[6]

It resides on a low level portion of the hard drive. It operates in memory only which makes it undetectable on the HDD.^[7]

References[edit]

^ "New MoonBounce UEFI malware used by APT41 in targeted attacks". BleepingComputer. Archived from the original on 2023-01-17. Retrieved 2024-03-21.
^ Yusaf, Mansoor (2023-09-18). "MoonBounce UEFI Bootkit Malware". Propelex. Archived from the original on 2023-09-25. Retrieved 2024-03-21.
^ CG (2022-02-06). 電腦1週: PCStation Issue 1109 (in Chinese). Creative Games Limited.
^ Olyniychuk, Daryna (2023-03-14). "BlackLotus UEFI Bootkit Detection: Exploits CVE-2022-21894 to Bypass UEFI Secure Boot and Disables OS Security Mechanisms". SOC Prime. Archived from the original on 2023-03-31. Retrieved 2024-03-21.
^ Paulina, Adam (2023-11-14). "Running Malware Below the OS - The State of UEFI Firmware Exploitation". Binary Defense. Archived from the original on 2023-12-09. Retrieved 2024-03-21.
^ "MoonBounce: the dark side of UEFI firmware". securelist.com. 2022-01-20. Archived from the original on 2024-02-01. Retrieved 2024-03-21.
^ Yurchenko, Alla (2022-01-25). "The Most Refined UEFI Firmware Implant: MoonBounce Detection". SOC Prime. Archived from the original on 2023-06-03. Retrieved 2024-03-21.

[1] "New MoonBounce UEFI malware used by APT41 in targeted attacks". BleepingComputer. Archived from the original on 2023-01-17. Retrieved 2024-03-21.

[2] Yusaf, Mansoor (2023-09-18). "MoonBounce UEFI Bootkit Malware". Propelex. Archived from the original on 2023-09-25. Retrieved 2024-03-21.

[3] CG (2022-02-06). 電腦1週: PCStation Issue 1109 (in Chinese). Creative Games Limited.

[4] Olyniychuk, Daryna (2023-03-14). "BlackLotus UEFI Bootkit Detection: Exploits CVE-2022-21894 to Bypass UEFI Secure Boot and Disables OS Security Mechanisms". SOC Prime. Archived from the original on 2023-03-31. Retrieved 2024-03-21.

[5] Paulina, Adam (2023-11-14). "Running Malware Below the OS - The State of UEFI Firmware Exploitation". Binary Defense. Archived from the original on 2023-12-09. Retrieved 2024-03-21.

[6] "MoonBounce: the dark side of UEFI firmware". securelist.com. 2022-01-20. Archived from the original on 2024-02-01. Retrieved 2024-03-21.

[7] Yurchenko, Alla (2022-01-25). "The Most Refined UEFI Firmware Implant: MoonBounce Detection". SOC Prime. Archived from the original on 2023-06-03. Retrieved 2024-03-21.

[1]

[2]

[3]

[4]

[5]

[6]

[7]