Subscribe
  • Home
  • /
  • Malware
  • /
  • New firmware bootkit escapes most security solutions

New firmware bootkit escapes most security solutions

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 26 Jan 2022

Researchers from Kaspersky have discovered another instance of a firmware bootkit in the wild. Known as MoonBounce, this malicious implant is hidden within a PC’s motherboard firmware  unified extensible firmware interface (UEFI).

UEFI firmware is a critical component in the vast majority of machines; its code is responsible for booting up the device and passing control to the software that loads the operating system.

This code rests in what’s called SPI flash, a non-volatile storage external to the hard disk, that has become widespread in the embedded industry and is used for storage and data transfers in portable devices.

Hard to remove

Implants of this nature are famously hard to remove and are of limited visibility to security products. Having first appeared in the wild in the northern hemisphere spring last year, MoonBounce has shown a sophisticated attack flow, with clear advancement in comparison to other UEFI firmware bootkits that have been found.

Kaspersky says the campaign has been attributed with confidence to the well-known advanced persistent threat (APT) actor APT41.

If this firmware contains the malware, then the code will be launched before the operating system, making the threat particularly tricky to delete, as it cannot be removed by reformatting a hard drive or reinstalling an OS alone.

The implant rests in the CORE_DXE component of the firmware, which is called upon early during the UEFI boot sequence. Then, through a series of hooks that intercept certain functions, the implant’s components make their way into the operating system, where they reach out to a command & control server in order to retrieve further malicious payloads, which we were unable to retrieve.

Leaving no traces

Kaspersky says the infection chain itself does not leave any traces on the hard drive as its components operate in memory only, thus facilitating a fileless attack with a small footprint.

However, because the code is located outside of the hard drive, its activity remains virtually undetected by most security solutions unless they have a feature that specifically scans this part of the device.

MoonBounce is only the third reported UEFI bootkit found in the wild, and was discovered by Kaspersky researchers when looking at the activity of their firmware scanner, which detect threats hiding in the ROM BIOS, including UEFI firmware images.

More complicated, sophisticated

When compared to the two previously discovered bootkits, LoJax and MosaicRegressor, MoonBounce demonstrates significant advancement with a more complicated attack flow and greater technical sophistication.

While investigating this bootkit, the researchers found several malicious loaders and post-exploitation malware across several nodes of the same network.

These included ScrambleCross or Sidewalk, an in-memory implant that can communicate to a C2 server to exchange information and execute additional plugins, Mimikat_ssp, a publicly available post-exploitation tool used to dump credentials and security secrets, a formerly unknown Golang based backdoor, and Microcin, malware that is typically used by the SixLittleMonkeys threat actor.

Gaining a foothold

The security giants speculates that it’s possible that MoonBounce downloads these pieces of malware or that previous infection by one of these pieces of malware serves as way of compromising the machine so that it can gain a foothold in the network.

Another possible infection method for the bootkit would be if the machine was compromised before it was supplied to the target company. In either case, it is assessed that the infection occurs through remote access to the targeted machine. In addition, while the first two bootkits utilised additions of DXE drivers, MoonBounce modifies an existing firmware component for a more subtle and stealthier attack.

In the overall campaign against the network in question, it was evident that the threat actors committed a wide range of actions, such as archiving files and gathering network information. Commands used by attackers throughout their activity suggest they were interested in lateral movement and exfiltration of data, and, given that a UEFI implant was used, it is likely the attackers were interested in conducting ongoing espionage activity.

So far, the firmware bootkit has only been found on a single machine for a holding company in the high-tech market; however, other affiliated malicious samples have been found.

Denis Legezo, a senior security researcher with Kaspersky’s Global Research and Analysis Team (GReAT), says while Kaspersky cannot, with absolute certainty, connect the additional malware implants found during our investigation with MoonBounce specifically, it does appear as if Chinese-speaking threat actors are sharing tools with one another to aid their various campaigns.

A growing trend

More importantly, he says this latest UEFI bootkit shows same notable advancements when compared to MosaicRegressor, which the company reported on back in 2020.

“In fact, transforming a previously benign core component in firmware to one that can facilitate malware deployment on the system is an innovation that was not seen in previous comparable firmware bootkits in the wild and makes the threat far stealthier,” he adds.

Kaspersky predicted back in 2018 that UEFI threats would gain in popularity, and this trend appears to be materialising. 

“We would not be surprised to find additional bootkits in 2022. Fortunately, vendors have begun paying more attention to firmware attacks, and more firmware security technologies, adds Mark Lechtik, senior security researcher with GReAT.

Share