Researchers believe we could see more attacks based on such evasive, difficult-to-remove malware implants this year.

As malware infections go, firmware bootkits are notoriously difficult to remove, and are of limited visibility to anti-malware products.

The first two bootkits discovered were LoJax and MosaicRegressor, and in the spring of 2021, a third was found in the wild. Dubbed MoonBounce, this malicious implant demonstrates a sophisticated attack flow, with evident advancement in comparison to earlier firmware bootkits. 

Kaspersky researchers have attributed the attack with considerable confidence to the  advanced persistent threat actor APT41.

More sophisticated than previous bootkits

So far, the firmware bootkit has been found in only a single case. The exact infection vector remains unknown; however, it is assumed that the infection occurred through remote access to the targeted machine. In the overall campaign against the network in question, it was evident that the attackers had carried out a wide range of actions, such as archiving files and gathering network information.

Commands used by attackers suggest they were interested in lateral movement and exfiltration of data, and, given that a UEFI implant was used, it is likely the attackers were interested in conducting ongoing espionage activity.

While analyzing MoonBounce, the researchers uncovered several malicious loaders and post-exploitation malware across several nodes of the same network. This included:

  • ScrambleCross or Sidewalk, an in-memory implant that can communicate to a C2 server to exchange information and execute additional plugins
  • Mimikat_ssp, a publicly available post-exploitation tool used to dump credentials and security secrets
  • a previously unknown Golang based backdoor
  • Microcin malware that is typically used by the SixLittleMonkeys threat actor

Compared to LoJax and MosaicRegressor, which utilized additions of DXE drivers, MoonBounce modifies an existing firmware component for a more subtle and stealthy attack. The implant rests in the CORE_DXE component of the firmware, which is called upon early during the UEFI boot sequence. Then, through a series of hooks that intercept certain functions, the implant’s components make their way into the operating system, where they reach out to a Command & Control server in order to retrieve further malicious payloads, which researchers were unable to retrieve. The infection chain itself does not leave any traces on the hard drive as its components operate in memory only—thereby facilitating a file-less attack with a small footprint.

Most likely of APT origins

The researchers have attributed MoonBounce with considerable confidence to APT41, a Chinese-speaking threat actor that has conducted cyberespionage and cybercrime campaigns around the world since at least 2012.

In addition, the existence of some of the aforementioned malware in the same network suggests a possible connection between APT41 and other Chinese-speaking threat actors.

According to Denis Legezo, Senior Security Researcher, Global Research and Analysis Team, Kaspersky: “While we can’t definitely connect the additional malware implants found during our research to MoonBounce specifically, it does appear as if some Chinese-speaking threat actors are sharing tools with one another to aid in their various campaigns; there especially seems to be a low confidence connection between MoonBounce and Microcin.”

In response, more firmware security technologies, such as Intel’s BootGuard and Trusted Platform Modules, are gradually being adopted to address firmware bookits.