There has been a new Malware in town which is more dangerous than before. Known as MoonBounce, security analysts have called it “the most advanced” UEFI implant found. A recent report shave found that this malware is actually the production of elite Chinese- speaking APT41 hackers, also known as Winnti.
To understand the kind of problems this malware is producing, it is first important to understand what UEFI does. Short form for Unified Extensible Firmware Interface, UEFI is actually a technical specification that helps operating systems and firmware software interface in computers.
This malware is something that can be sneakily planted in UEFI and is easily hidden from AVs or any other security tool that runs on OS level. MoonCOunce is not the first malware to do so but certainly one of the most malicious ones so far.
To get it to work. The tools manage to hijack in the booting sequence itself and initialize before the OS security components come up. Unlike other malware which can still be erased by a quick search, these malware hides in spaces like reserved space on the disk. These areas cannot quite be erased, thus making the malware very persistent.
MoonBounce can be found in the SPI flash memory of the motherboard, so even if the hard disk is replaced the malware will continue to be present in the system.
This malware starts way before and is injected at the very beginning of the computer process. As soon as the computer starts running, MoonBounce has already nestled itself and is running in the background. The people actually researching this could still not figure out how the malware manages to affect the UEFI firmware in the first place, making it especially dangerous.
The MoonBounce has attacked very specific targets in the past, and the rootkit was only discovered in a single instant. However, the samples have been found on other machines, but there are no UEFI implants.
This UEFI firmware-level comprise came up at the end of 2021, making its information pretty limited. According to reports, this malware has been integrated into Kaspersky products even since 2019. It was just the modification of a single component that allowed the attackers to get access to the original execution and introduce a chain of infection.
Here’s what we know about this malware works. The source is a set of hooks that intercept the execution at the very beginning. They intercept the functions in the Boot Services Table, known as AllocatePool and a few others. These hooks manage to divert the information flow to the shellcode which then passes the information to the next location of hooks. The chain allows for the code to pass on from hook to hook during the startup and introduce the memory address space. The driver, from the initial phase of execution, allows for the malware to be injected into a svchost.exe process once the operating system begins to run.
However, despite this vast information, our actual knowledge of the malware is pretty low. Having received this much information is too good to be true and researchers are continuously working towards understanding and battling this malware.