Today Kaspersky announced that its researchers have uncovered
the third known case of a firmware bootkit in the wild. Dubbed MoonBounce,
this malicious implant is hidden within Unified Extensible Firmware Interface
(UEFI) firmware, an essential part of computers, in the SPI flash, a storage
component external to the hard drive. Such implants are notoriously difficult
to remove and are of limited visibility to security products. Having first
appeared in the wild in the spring of 2021, MoonBounce demonstrates a
sophisticated attack flow, with evident advancement in comparison to
formerly reported UEFI firmware bootkits. The researchers attributed the
campaign, with considerable confidence, to the well-known advanced
persistent threat (APT) actor APT41.
UEFI firmware is a
critical component in the vast majority of machines; its code is responsible
for booting up the device and passing control to the software that loads the
operating system. This code rests in what's called SPI flash, a non-volatile
storage external to the hard disk. If this firmware contains malicious code,
then this code will be launched before the operating system, making malware
implanted by a firmware bootkit especially difficult to delete. It can't be
removed simply by reformatting a hard drive or reinstalling an OS. What's more,
because the code is located outside of the hard drive, such bootkits' activity
goes virtually undetected by most security solutions unless they have a feature
that specifically scans this part of the device.
MoonBounce is only the third
reported UEFI bootkit found in the wild. It appeared in the spring of 2021 and
was first discovered by Kaspersky researchers when they were looking at the
activity of their Firmware Scanner, which has been included in Kaspersky products since the beginning of
2019 to specifically detect threats hiding in the ROM BIOS, including UEFI
firmware images. When compared to the two previously discovered bootkits,
LoJax and MosaicRegressor,
MoonBounce demonstrates significant
advancement with a more complicated attack flow and greater technical
sophistication.
The implant rests in
the CORE_DXE component of the firmware, which is called upon early during the
UEFI boot sequence. Then, through a series of hooks that intercept certain
functions, the implant's components make their way into the operating system,
where they reach out to a command & control server in order to retrieve
further malicious payloads, which Kaspersky researchers were unable to
retrieve. The infection chain itself does not leave any traces on the hard
drive, since its components operate in memory only, thus facilitating a
fileless attack with a small footprint.
While investigating
MoonBounce, Kaspersky researchers uncovered several malicious loaders and
post-exploitation malware across several nodes of the same network. This
includes ScrambleCross, or Sidewalk, an in-memory implant that can communicate
to a C2 server to exchange information and execute additional plugins,
Mimikat_ssp, a publicly
available post-exploitation tool used to dump credentials and security secrets,
a formerly unknown Golang-based backdoor, and Microcin, malware that is typically used by the SixLittleMonkeys
threat actor.
The exact infection vector remains unknown, however, it is
assumed that the infection occurs through remote access
to the targeted machine. In addition, while LoJax and MosaicRegressor utilized
additions of DXE drivers, MoonBounce modifies an existing firmware component
for a stealthier and more subtle attack.
In the overall campaign against
the network in question, it was evident that the attackers carried out a wide
range of actions, such as archiving files and gathering network information.
Commands used by attackers throughout their activity suggest they were
interested in lateral movement and exfiltration of data, and, given that a UEFI
implant was used, it is likely the attackers were interested in conducting
ongoing espionage activity.
Kaspersky has attributed
MoonBounce with considerable confidence to APT41, which
has been widely reported to be a Chinese-speaking threat actor that's conducted cyberespionage and cybercrime campaigns
around the world since at least 2012. In addition, the existence of some of the
aforementioned malware in the same network suggests a possible connection
between APT41 and other Chinese-speaking threat actors.
So far, the firmware bootkit has
only been found in a single case. However, other affiliated malicious samples
(e.g. ScrambleCross and its loaders) have been found on the networks of several
other victims.
"While we can't definitely connect
the additional malware implants found during our research to MoonBounce
specifically, it does appear as if some Chinese-speaking threat actors are
sharing tools with one another to aid in their various campaigns; there
especially seems to be a low confidence connection between MoonBounce and
Microcin," said Denis Legezo, senior security researcher with GReAT.
"Perhaps more
importantly, this latest UEFI bootkit shows same notable advancements when
compared to MosaicRegressor, which we reported on back in 2020," said Mark
Lechtik, senior security researcher with the Global Research and Analysis Team
(GReAT) at Kaspersky. "In fact, transforming a previously benign core component
in firmware to one that can facilitate malware deployment on the system is an
innovation that was not seen in previous comparable firmware bootkits in the
wild and makes the threat far stealthier. We predicted back in 2018 that UEFI
threats would gain in popularity, and this trend does appear to be
materializing. We would not be surprised to find additional bootkits in 2022.
Fortunately, vendors have begun paying more attention to firmware attacks, and
more firmware security technologies, such as BootGuard and Trusted Platform
Modules, are gradually being adopted."
For a more detailed analysis of MoonBounce, read the full report on Securelist.
In order to stay protected from UEFI bootkits like
MoonBounce, Kaspersky recommends:
- Provide your SOC team with access
to the latest threat intelligence (TI). The Kaspersky Threat Intelligence
Portal is a
single point of access for the company's TI, providing cyberattack data
and insights gathered by Kaspersky over more than 20 years.
- For endpoint level detection, investigation and timely
remediation of incidents, implement EDR solutions, such as Kaspersky
Endpoint Detection and Response.
- Use a robust endpoint security product that can detect
the use of firmware, such as Kaspersky
Endpoint Security for Business.
- Regularly update your UEFI firmware and only use
firmware from trusted vendors.
- Enable Secure Boot by default, notably BootGuard and
TPMs where applicable.