Moonbounce, the dangerous malware that hides in the flash memory of motherboards

Moonbounce the dangerous malware that hides in the flash memory

Kaspersky’s sleuths have detected, for the second time, a particularly stealthy UEFI rootkit, because it can hide in the SPI Flash chip of a PC motherboard. This allows the malicious code to be persistent on the targeted machine, even if the operating system is reinstalled or the hard disk is changed. This way of doing things had already been seen for MosaicRegressor, a rootkit that Kaspersky had discovered in October 2020. It also existed in LoJax, a rootkit revealed by Eset researchers in 2018.

Also see video:

In these two previous examples, the malicious code was inserted into the firmware of the SPI chip in the form of a driver. In this new copy, which Kaspersky has called MoonBounce, it is integrated into an existing firmware module (CORE_DXE), which is therefore more subtle and more difficult to detect.

The purpose, however, remains the same. This involves hijacking the boot procedure to infect the operating system. In the case of MoonBounce, this results in the creation of a malicious driver in the memory space of the Windows kernel, which allows hackers to inject malware into the legitimate svchost.exe process. These malwares will then connect to command and control (C&C) servers to download and install other malware. The system then finds itself completely under the control of hackers, whose objective was clearly to find and exfiltrate sensitive data.

Based on a number of technical clues — type of malware deployed during the infection chain, use of a specific certificate for C&C communications — Kaspersky researchers believe that MoonBounce is operated by APT41, alias Winnti, a Chinese hacker group well known for its attacks on software supply chains (CCleaner, Asus). This allocation is made with “a medium to high level of confidence”, says Kaspersky.

How this rootkit arrived in the SPI chip, however, remains a mystery. The researchers assume, however, that this infection took place remotely.

Source: Kaspersky

1nc1