A known Chinese APT actor using an UEFI implant to maintain stealthy persistence across reboots, disk formatting or disk replacements is into limelight shows that the Threat actors (APT 41) are already deploying hard-to-detect malware below the operating system and a sign that firmware implantation dubbed MoonBounce may already be widespread.
Researchers said the below-the-OS compromise was originally flagged by firmware scanning technology built into its products to spot signs of rootkit infections. A single component within the firmware image was modified by attackers in a way that allowed them to intercept the original execution flow of the machine’s boot sequence and introduce a sophisticated infection chain.
The initial UEFI infection vector still unknown but the attacker added malicious shellcode and a kernel-mode driver into a newly created section within the compromised firmware image to commandeer the infected machine’s boot routine.
An emplacement on SPI flash which is located on the motherboard instead of the hard disk, the implant can persist in the system across disk formatting or replacement. The purpose of the implant is to manage the deployment of user-mode malware that stages execution of further payloads downloaded from the internet. The infection chain itself does not leave any traces on the hard drive, as its components operate in memory only, thus facilitating a fileless attack with a small footprint
The MoonBounce discovery is the third publicly documented case of firmware-based rootkit implantation and it’s a complicated attack flow when comparing it to the previous ones. Just last year, researchers found signs the FinSpy surveillance spyware tool was fitted with a UEFI bootkit and ESET found similar capabilities in a cyber espionage campaign.
It’s recommended to update UEFI firmware regularly and verify that BootGuard, where applicable, is enabled to safeguard for these type of attacks
