Researchers discover a dangerous malware that can survive OS reinstalls

Researchers discover a dangerous malware that can survive OS reinstalls

Researchers from antivirus provider Kaspersky recently discovered a dangerous malware that is hidden deep within the Unified Extensible Firmware Interface (UEFI) firmware of a computer at a customer location.

The malicious implant called “MoonBounce” is hidden in the UEFI firmware within the SPI flash storage on the infected computer’s motherboard, instead of on the hard disk like other UEFI bootkits.

This only means that the carry-on the system even if the hard disk had been replaced or reformatted, says Kaspersky. Basically, the dangerous malware can survive OS reinstalls.


‘MoonBounce’, a dangerous firmware-level malware

Firmware-based rootkits are now gaining in popularity because they provide threat actors a way to maintain a persistent, hard-to-detect, hard-to-eliminate existence on a target network.

Kaspersky discovered the Windows-based malware last year running on a single computer. The answer remains unclear on how the malicious code was able to infect the system.

Also, the malware was designed to operate on the computer’s UEFI firmware that helps boot up the system.

Malware is embedded on the computer's UEFI firmware
Malware is embedded in the computer’s UEFI firmware

The implant was designed to allow the deployment of additional malware on the victim’s system. Other pieces of evidence on the same system point to MoonBounce being used as part of a wider cyber-espionage campaign.

Researchers from Kaspersky were also able to accredit with a high level of confidence to APT41 –– a known Chinese-speaking advanced persistent threat (APT) group.

After discovering the threat late last year, Kaspersky immediately and privately reported it to the customers of its APT service.

According to Mark Lechtik, a senior researcher with Kaspersky’s global research and analysis team (GReAT), “we have chosen to reveal this publicly not long after as we believe there is value in this knowledge being shared with the community.”

The aim is to allow defenders “both to understand how UEFI firmware attacks have evolved and [to] allow blue teamers to better defend against this type of threat.”

Is the threat being addressed?

The threat of firmware-level attacks has alarmingly increased. There are 83% of organizations said that they have been hit with one in a 2021 survey.

These organizations have pushed chipmakers, hardware, and OS vendors to introduce updates in order to strengthen their technologies against this threat.

Read: 15 Best Malware Removers for Android in 2021: A Definitive Guide

There are apps like Secure Boot, that are designed to make sure a computer boots up using only a trusted boot software. There is also other software that defends against the threat of attackers making unauthorized modifications to boot-level software.

An example of this is the Trusted Platform Module (TPM), with over 10 years of ensuring system integrity during boot-up under its wing.

Unfortunately, according to Lecktek, software like Secure Boot would be useless against the malware.

“Classic Secure Boot doesn’t take firmware-level components into account when authenticating components in the boot sequence. MoonBounce itself does not do anything to bypass this mechanism. It simply doesn’t introduce any changes to the images inspected by Secure Boot, but rather patches the reflection of these images in memory after they are loaded,” he added.

But, software like Boot Guard and TPM have successfully countered MoonBounce’s firmware-level modifications, says Lechtik.

More tech news:

Leave a Reply

Your email address will not be published. Required fields are marked *