Researchers discover dangerous firmware-level rootkit

Firmware-based rootkits, though still relatively rare, are gaining in popularity because they give threat actors a way to maintain a persistent, hard-to-detect, and difficult-to-eradicate presence on a target network.

Kaspersky researchers recently discovered the latest example of such a threat hidden deep within the Unified Extensible Firmware Interface (UEFI) firmware of a computer at a customer location. The malicious implant, dubbed “MoonBounce,” was planted in UEFI firmware within the SPI flash storage on the infected computer’s motherboard, rather than on the hard disk like some other UEFI bootkits. This meant the implant could persist on the system even if the hard disk had been formatted or replaced, according to Kaspersky.

The implant was designed to enable the deployment of additional malware on the compromised system. Other malware artifacts on the same system pointed to MoonBounce being used as part of a wider cyber-espionage campaign that Kaspersky researchers were able to attribute with a high level of confidence to APT41, a known Chinese-speaking advanced persistent threat (APT) group. Kaspersky discovered the threat in late 2021 and privately reported it to customers of its APT service.

“We have chosen to reveal this publicly not long after as we believe there is value in this knowledge being shared with the community,” says Mark Lechtik, senior security researcher with Kaspersky’s global research and analysis team (GReAT). The goal is to allow defenders “both to understand how UEFI firmware attacks have evolved and [to] allow blue teamers to better defend against this type of threat.”

Modern computers use UEFI firmware during the boot-up process. The interface contains information that the computer uses for loading the operating system, which means that any malicious code in it would execute before the OS boots up. This fact has made UEFI firmware an increasingly popular target for attackers looking to hide implants from malware detection tools and maintain long-term persistence on infected systems.

Security vendor ESET discovered the first firmware-level rootkit — dubbed LoJax — in 2018. This malware, like MoonBounce, was hidden in the UEFI firmware on SPI flash. It was discovered on a system belonging to an organization that Russia-based APT actor Sednit group had targeted as part of a campaign against government organizations in Eastern Europe and other regions.

To read the complete article, visit Dark Reading.