MoonBounce, malicious code in UEFI

Last week, Kaspersky Lab experts published

detailed report

about the MoonBounce malware. MoonBounce is a bootkit: the code is injected into the UEFI firmware and thus can survive a hard drive replacement or a complete reinstallation of the operating system in a laptop or PC. The implant is designed to launch other malicious code, which in turn initiates the receipt of further payloads from the Internet.

Comparing the behavior of MoonBounce with other malicious code and analyzing the interaction with the network infrastructure, the researchers suggested that the Chinese-speaking group APT41 was behind the attack. MoonBounce uses fairly recent infection techniques. Prior to this, the ability to “pin” in the UEFI firmware on the motherboard was found only in two other recent attacks.

As is often the case, the authors of the study did not have access to all the components of the attack. In particular, the exact method of infecting a computer is unknown. However, some indirect signs suggest that the UEFI modification was carried out remotely. Previous attacks of this type (in particular, the LowJax malware described by ESET and the attack
MosaicRegressor) add DXE drivers to the firmware image. MoonBounce is more stealthy and modifies an existing firmware component by changing its behavior. The researchers suggest that for such delicate work, the attackers needed to study in detail the UEFI image of the computer they planned to attack. That is, we are talking, most likely, about a super-targeted attack. Perhaps the attackers already had access to the system, but the task was to ensure a “permanent infection” of the computer.

This is how the general scheme of the implant in the UEFI firmware looks like. MoonBounce is embedded in the CORE_DXE component of the firmware. The malware starts by intercepting functions in the EFI Boot Services table: AllocatePool, CreateEventEx, and ExitBootServices. This allows the execution of malicious shellcode added to the end of the CORE_DXE image. The shellcode, in turn, creates additional hooks in the subsequent components of the boot chain, namely the Windows bootloader. The driver injects itself into the Windows kernel address space and deploys yet another user-mode malware. This malicious code finally turns to the command and control server for instructions. An interesting feature of this chain is that it leaves no traces on the hard drive, but only runs in RAM.

The UEFI malware itself was found in a single copy. The Kaspersky Lab report also provides descriptions of other traditional malware found on the same corporate network as MoonBounce. The connection between them was established thanks to the analysis and comparison of network resources accessed by malicious programs, as shown in the header image. There is also a log of commands used by attackers in the process of reconnaissance: analysis of devices available on the network, connecting network drives and copying data from them. MoonBounce is an example of a bootkit whose renaissance was included by Kaspersky Lab experts in

list of predictions

for 2022. The existence of such complex attacks requires adequate means of protection and detection. In particular, it was possible to find MoonBounce thanks to the tool

Firmware Scanner

in the corporate product of Kaspersky Lab.

What else happened

OpenSubtitles service


about the theft of data after the hack, including information about six million registered users. Names, email addresses and passwords hashed in MD5 leaked.

Natalie Silvanovich of the Google Project Zero team published a detailed report on the zero-click vulnerability in the Zoom conferencing platform. For a theoretical attack, it was necessary to use the built-in messenger, and the result would be unauthorized access to the negotiations.

Another technical report tells about a bug in the Safari browser that can lead to data leakage. As of January 17, Apple, after traditionally ignoring reports of vulnerabilities for a long time, took up a solution to the problem.

Similar Posts

Leave a Reply Cancel reply