Researchers Discover Dangerous Firmware-Level Rootkit

MoonBounce is the latest in a small but growing number of implants found hidden in a computer’s Unified Extensible Firmware Interface (UEFI).


Firmware-based rootkits, though still relatively rare, are gaining in popularity because they give threat actors a way to maintain a persistent, hard-to-detect, and difficult-to-eradicate presence on a target network.

Kaspersky researchers recently discovered the latest example of such a threat hidden deep within the Unified Extensible Firmware Interface (UEFI) firmware of a computer at a customer location. The malicious implant, dubbed “MoonBounce,” was planted in UEFI firmware within the SPI flash storage on the infected computer’s motherboard, rather than on the hard disk like some other UEFI rootkits. This meant the implant could persist on the system even if the hard disk had been formatted or replaced, according to Kaspersky.

The implant was designed to enable the deployment of additional malware on the compromised system. Other malware artifacts on the same system pointed to MoonBounce being used as part of a wider cyber-espionage campaign that Kaspersky researchers were able to attribute with a high level of confidence to APT41, a known Chinese-speaking advanced persistent threat (APT) group. Kaspersky discovered the threat in late 2021 and privately reported it to customers of its APT service.ADVERTISING

“We have chosen to reveal this publicly not long after as we believe there is value in this knowledge being shared with the community,” says Mark Lechtik, a senior security researcher with Kaspersky’s global research and analysis team (GReAT). The goal is to allow defenders “both to understand how UEFI firmware attacks have evolved and [to] allow blue teamers to better defend against this type of threat.” Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *