A previously unknown firmware implant used in a targeted espionage campaign to maintain stealthy persistence has been linked to the Chinese-speaking Winnti advanced persistent threat group (APT41).
The rootkit, codenamed MoonBounce by Kaspersky, was described as the "most advanced UEFI firmware implant discovered in the wild to date," with the implant's "purpose being to facilitate the deployment of user-mode malware that stages performance of further payloads downloaded from the internet."
Firmware-based rootkits, once uncommon in the threat landscape, are quickly becoming lucrative tools for sophisticated actors seeking to establish a long-term foothold in a way that is not only difficult to detect but also difficult to remove. MoonBounce is worrisome for a variety of reasons. Unlike FinFisher and ESPecter, which target the EFI System Partition (ESP), the newly discovered rootkit, along with LoJax and MosaicRegressor, targets the SPI flash, a non-volatile storage device external to the hard drive.
By embedding such persistent bootkit malware within the flash storage soldered to a computer's motherboard, the mechanism renders it impossible to remove via hard drive replacement and even resistant to re-installation of the operating system.
According to the Russian cybersecurity firm, the presence of the firmware rootkit was discovered in a single incident last year, indicating the highly targeted nature of the attack. However, the precise mechanism by which the UEFI firmware was infected is unknown.
The fact that an existing firmware component was tampered with to alter its behaviour — rather than adding a new driver to the image — adds to its stealthiness, with the goal of diverting the execution flow of the boot sequence to a malicious attack sequence that injects the user-mode malware during system startup, which then connects to a hardcoded remote server to retrieve the next-stage payload.
"The infection chain itself goes no traces on the hard drive, as its components operate in memory only, enabling a fileless attack with a small footprint," the researchers explained, adding that they discovered other non-UEFI implants in the targeted network communicating with the same infrastructure that hosted the staging payload.
Among the components deployed across multiple network nodes are a backdoor known as ScrambleCross (aka Crosswalk) and a number of post-exploitation malware implants such as Microcin and Mimikat ssp, indicating that the attackers moved laterally after gaining initial access in order to exfiltrate data from specific machines.
In an independent analysis, cybersecurity firm Binary discovered that the MoonBounce UEFI component was created in 2014 for target hardware related to an MSI system and that the malware could have been delivered to the compromised machine via physical access or software modifications caused by a lack of adequate SPI protections.
To counteract such firmware-level modifications, it is recommended that the UEFI firmware be updated on a regular basis, as well as that security features such as Boot Guard, Secure Boot, and Trust Platform Modules be enabled (TPM). "MoonBounce describes a certain change in this group of threats by offering a more detailed attack discharge in comparison to its ancestors, as well as a higher level of technical competence by its authors, who demonstrate a thorough understanding of the finer details involved in the UEFI boot process," the researchers wrote. If you have any questions and concerns about the above topic, please contact Airzero sec through the given Email.