MoonBounce was created by the Chinese-speaking APT41 hacker group (also known as Winnti).
This has been done multiple times before, with two recent examples being the FinFisher malware and the ESPecter backdoor.
This malware hides in your BIOS chip and remains even after you reinstall your OS or format your hard drive.
UEFI malware, detected by Kasperksy’s firmware scanner logs, implants malicious code into the motherboard’s Serial Peripheral Interface (SPI) Flash.
MoonBounce is undeniably clever. It gets into a system and makes itself hard to detect and dispose of.
In the case of MoonBounce, the implanting location is on the SPI flash memory of the motherboard, so not even a hard disk replacement can uproot it.
The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table,” explains Kaspersky on its SecureList blog. The hooks are then used to divert function calls to the malicious shellcode that the attackers have appended to the CORE_DXE image. This, in turn, “sets up additional hooks in subsequent components of the boot chain, namely the Windows loader.
How does MoonBounce work?
MoonBounce malware is designed to infect a computer’s UEFI firmware. UEFI is a type of firmware used to boot up a computer.
Once the malware has infected the UEFI firmware, it can gain low-level access to the system. This allows the attacker to bypass security measures such as full disk encryption.
MoonBounce is difficult to detect and remove, and it can be used to infect a computer persistently.
How can I protect myself from MoonBounce?
To protect yourself from MoonBounce, you should update your UEFI firmware to the latest version.
You should also ensure that your computer’s UEFI is set to boot from a trusted source, such as a USB drive or CD-ROM. Finally,
it would be best to consider using a complete disk encryption program to protect your data.
