Discovered by Kaspersky, Moonbounce resides in the memory of the motherboard, and it infects the computer each time it starts. Created by Chinese hackers, it is used to access the various computer and network directories to empty their contents.
You will also be interested
[EN VIDÉO] What is a cyberattack? With the development of the Internet and the cloud, cyberattacks are becoming more frequent and sophisticated. Who is behind these attacks and for what purpose? What are the methods of hackers and what are the most massive cyberattacks?
If the processor is the heart of your computerthe motherboard is the brain. It is she who connects all the components together, and today it is possible to update it with a new firmware thanks to Uefi (Unified Extensible Firmware Interface), a much more advanced firmware than the old Bios (Basic Input Output System). Which means that you can install the update without operating system, and therefore bring new functions to its motherboard, or apply patches. But, like any good program that updates itself, it’s also the gate open to hacks…
For the second time in 18 months, the famous publisher Kaspersky reveals that hackers have managed to integrate a virus on this firmware, and it is their tool Scanner Firmware who discovered it. In concrete terms, hackers managed to change uefi interface, and embed malicious code. Experts even speak ofimplantor of rootkitand the most dangerous thing is that it launches even before the operating system since it is lodged in the Uefi “boot” sequence.
An “implant” impossible to remove
Which means that it is permanently active, and that a formatting from Hard disk is not enough to eliminate it, and that a anti-virus can’t clean it! baptized MoonBouncethis “implant” allows hackers to then install malicious software, such as a Trojan horsetaking advantage of the connection to Internet. Everything is done in the background, without the user being able to realize it, and it leaves no trace on the hard disk since the malware only work in the random access memory.
In his study, Kaspersky managed to decode a routine executed by the malware. First of all, this allows you to display the list of all the drives on the computer; then, to get the list of contents from a specified directory then to download a file from the server. Then it allows to write text in a given *.bat file and execute it. He can then execute a shell command.
Malware from China
It is by analyzing the software installed by this virus that Kaspersky thinks it has identified those responsible. They thus recognized the “signature” of APT41, a group of Chinese hackers, infamous since 2014 for their sophisticated and fearsome attacks. The initial malware combines its attacks with malware usually used by this entity, and the goal is to take control of the computer to extract private data.
If Kaspersky failed to identify the infection method (key USB ? fraudulent firmware?), the publisher recalls that it is essential to install security updates from motherboard manufacturers. Like any software, a regularly updated Uefi is better protected against its very sophisticated attacks.
Interested in what you just read?