spainter_vfx - stock.adobe.com
A new firmware bootkit discovered in the wild shows dramatic improvements over previous such tools, according to the Kaspersky researchers who uncovered it. Dubbed MoonBounce, this malicious implant hides in a computer’s unified extensible firmware interface (UEFI) firmware in the system’s SPI flash – a storage component external to the hard drive, making it hard to remove and hard for proprietary security products to spot.
MoonBounce is the third bootkit discovered in the wild – the others are LoJax and MosaicRegressor – and compared to those, it demonstrates “significant advancement, with a more complicated attack flow and greater technical sophistication”. Kaspersky first spotted it in 2021 through its Firmware Scanner, which is designed to detect threats hiding in the ROM BIOS, including UEFI firmware images.
“This latest UEFI bootkit shows some notable advancements when compared to MosaicRegressor, which we reported on back in 2020,” said Mark Lechtik, a senior researcher on Kaspersky’s Global Research and Analysis Team (GReAT). “In fact, transforming a previously benign core component in firmware to one that can facilitate malware deployment on the system is an innovation that was not seen in previous comparable firmware bootkits in the wild and makes the threat far stealthier.
“We predicted back in 2018 that UEFI threats would gain in popularity, and this trend does appear to be materialising. We would not be surprised to find additional bootkits in 2022. Fortunately, vendors have begun paying more attention to firmware attacks, and more firmware security technologies, such as BootGuard and Trusted Platform Modules, are gradually being adopted.”
Kaspersky’s research team say they can attribute the use of MoonBounce in cyber attacks with “considerable confidence” to the APT41 advanced persistent threat (APT) group – a China-backed op that also goes by the name of Barium, Winnti, Wicked Panda or Wicked Spider, depending on whose threat intel service you subscribe to.
UEFI firmware is important because it is a critical component in the vast majority of computers, where it serves to boot the device and pass control to the software that loads the operating system (OS). The code that does this rests in SPI flash.
If a malicious actor can successfully alter this firmware to include malicious code, they can potentially score big, because the code will be launched before the OS and therefore can implant malware that is very hard to delete – it can’t be removed through the relatively simple act of reformatting the hard drive or reinstalling the OS, for example.
On top of this, because the malicious code doesn’t rest on the hard drive, the activity of a malicious bootkit is virtually undetectable unless the IT team has bought into a security service that specifically scans this part of the system – as previously mentioned, Kaspersky has such a tool, but many others do not.
Read more about security relating to UEFI
- Dubbed Trickboot by researchers, Trickbot’s new features enable malicious actors to read, write or even erase UEFI/BIOS firmware.
- Kaspersky researchers have shared details of a APT campaign utilising a rarely seen and hard-to-stop variety of malware, MosaicRegressor.
- Eclypsium researchers discovered vulnerabilities that, if exploited, can allow remote code execution in a pre-boot environment for 128 different Dell products.
In the case of MoonBounce, the malicious implant rests in the firmware’s CORE_DXE component which springs into life very early in the UEFI boot process. By intercepting various functions during this process, MoonBounce’s components weasel their way into the device OS, from where they can contact their command and control (C2) infrastructure in order to retrieve malicious payloads. From here it is a quick hop, skip and jump to a full-blown cyber attack.
Kaspersky analysts said that in the specific incident they addressed, they found several malicious loaders and post-exploitation malware across several nodes of the network, including ScrambeCross, aka Sidewalk, an in-memory implant used to talk to a C2 server, and Mimikat_ssp, a post-exploit tool used to dump credentials, a previously unknown Golang-based backdoor, and the Microcin malware.
They said it was clear that MoonBounce’s operator had carried out a wide range of actions, archiving files and conducting network reconnaissance – most likely they were trying to attain the ability to move laterally through their target’s network, and given APT41’s modus operandi, were probably interested in corporate espionage.
They were not, however, able to establish the exact infection vector used by MoonBounce, but it may be a safe assumption that remote access protocols were exploited.
CISOs can take a number of specific steps to guard against MoonBounce, from standard actions such as providing their teams with up-to-date threat intel, endpoint detection and response (EDR) tools, and endpoint protection products that can specifically detect the use of firmware.
As regards protecting the UEFI itself, the firm recommends that defenders regularly update their UEFI firmware, using only firmware from trusted suppliers and, where applicable, enable secure boot by default.