More elusive and persistent - Kaspersky researchers uncover the third known firmware bootkit
Kaspersky's researchers have uncovered the third case of a firmware bootkit in the wild.
The bootkit, dubbed MoonBounce, is a malicious implant hidden within a computer's Unified Extensible Firmware Interface (UEFI) firmware, an essential part of the computer.
Kaspersky says these implants are notoriously difficult to remove and have limited visibility to security products. Having first appeared in the wild in the spring of 2021, MoonBounce demonstrates a sophisticated attack flow, with evident advancement compared to formerly reported UEFI firmware bootkits. Kaspersky's researchers have attributed the attack with considerable confidence to the well-known advanced persistent threat (APT) actor APT41.
The UEFI firmware is a critical component in most modern machines; its code is responsible for booting up the device and passing control to the software that loads the operating system. This code rests in SPI flash, non-volatile storage external to the hard disk. If this firmware contains malicious code, then the code will be launched before the operating system, making malware implanted by a firmware bootkit especially difficult to delete. It cannot be removed simply by reformatting a hard drive or reinstalling an OS. Moreover, because the code is located outside the hard drive, such bootkits activity goes virtually undetected by most security solutions unless they have a feature that specifically scans this part of the device.
MoonBounce is only the third reported UEFI bootkit found in the wild. It appeared in the spring of 2021 and was first discovered by Kaspersky researchers when looking at the activity of their Firmware Scanner, which has been included in Kaspersky products since the beginning of 2019 to specifically detect threats hiding in the ROM BIOS, including UEFI firmware images. Compared to the two previously discovered bootkits, LoJax and MosaicRegressor, MoonBounce demonstrates significant advancement with a more complicated attack flow and greater technical sophistication.
While analysing MoonBounce, Kaspersky researchers uncovered several malicious loaders and post-exploitation malware across several nodes of the same network. This includes ScrambleCross or Sidewalk, an in-memory implant that can communicate to a C2 server to exchange information and execute additional plugins, Mimikat_ssp, a publicly available post-exploitation tool used to dump credentials and security secrets, a formerly unknown Golang based backdoor, and Microcin, malware that the SixLittleMonkeys threat actor typically uses.
"In the overall campaign against the network in question, it was evident that the attackers carried out a wide range of actions, such as archiving files and gathering network information," says Mark Lechtik, senior security researcher with the Global Research and Analysis Team (GReAT) at Kaspersky.
"Commands used by attackers throughout their activity suggest they were interested in lateral movement and exfiltration of data, and, given that a UEFI implant was used, it's likely the attackers were interested in conducting ongoing espionage activity."
Kaspersky's researchers have attributed MoonBounce with considerable confidence to APT41, which has been widely reported to be a Chinese-speaking threat actor that's conducted cyber espionage and cybercrime campaigns around the world since at least 2012. The existence of some malware in the same network suggests a possible connection between APT41 and other Chinese-speaking threat actors.
So far, the firmware bootkit has only been found in a single case. However, other affiliated malicious samples (e.g. ScrambleCross and its loaders) have been found on the networks of several other victims.
"While we can't definitely connect the additional malware implants found during our research to MoonBounce specifically, it does appear as if some Chinese-speaking threat actors are sharing tools with one other to aid in their various campaigns," says GReAT senior security researcher, Denis Legezo.
"There especially seems to be a low confidence connection between MoonBounce and Microcin. Perhaps more importantly, this latest UEFI bootkit shows the same notable advancements when compared to MosaicRegressor, which we reported on back in 2020."
To stay protected from UEFI bootkits like MoonBounce, Kaspersky recommends:
- Provide your SOC team access to the latest threat intelligence (TI).
- For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions.
- Use a robust endpoint security product that can detect the use of firmware.
- Regularly update your UEFI firmware and only use firmware from trusted vendors.
- Enable Secure Boot by default, notably BootGuard and TPMs where applicable.