MoonBounce
{{Short description|UEFI Malware}}
{{Infobox malware
| common_name = MoonBounce
| image =
| caption =
| image2 =
| caption2 =
| technical_name =
| Aliases =
| Type = Bootkit
| subtype =
| classification = Rootkit
| family =
| isolation_date =
| Origin =
| Author = APT41
| Date =
| Location =
| Theme =
| Target =
| outcome =
| losses =
| suspect =
| convicted =
| sentence =
| version =
| OS = Microsoft Windows
| package =
| filename =
| filetype =
| filesize =
| exploit =
| ports_used =
| language =
| discontinuation_date =
| version1 =
| OS1 =
| package1 =
| filename1 =
| filetype1 =
| filesize1 =
| exploit1 =
| ports_used1 =
| language1 =
| discontinuation_date1 =
}}
MoonBounce is a UEFI firmware-based rootkit. It is linked to the Chinese APT41 hacker group. MoonBounce was discovered by the researchers at Kaspersky in 2021.{{Cite web |title=New MoonBounce UEFI malware used by APT41 in targeted attacks |url=https://www.bleepingcomputer.com/news/security/new-moonbounce-uefi-malware-used-by-apt41-in-targeted-attacks/ |access-date=2024-03-21 |website=BleepingComputer |language=en-us |archive-date=2023-01-17 |archive-url=https://web.archive.org/web/20230117175218/https://www.bleepingcomputer.com/news/security/new-moonbounce-uefi-malware-used-by-apt41-in-targeted-attacks/ |url-status=live }} It can disable Windows security tools and bypass User Account Control.{{Cite web |last=Yusaf |first=Mansoor |date=2023-09-18 |title=MoonBounce UEFI Bootkit Malware |url=https://www.propelex.com/moonbounce-uefi-bootkit-malware/ |access-date=2024-03-21 |website=Propelex |language=en-US |archive-date=2023-09-25 |archive-url=https://web.archive.org/web/20230925054519/https://www.propelex.com/moonbounce-uefi-bootkit-malware/ |url-status=live }}
The data shows that the attacks are highly targeted.{{Cite book |last=CG |url=https://books.google.com/books?id=aepcEAAAQBAJ&dq=moonbounce+malware&pg=PA4 |title=電腦1週: PCStation Issue 1109 |date=2022-02-06 |publisher=Creative Games Limited |language=zh}} It is a landmark in a UEFI rootkit evolution.{{Cite web |last=Olyniychuk |first=Daryna |date=2023-03-14 |title=BlackLotus UEFI Bootkit Detection: Exploits CVE-2022-21894 to Bypass UEFI Secure Boot and Disables OS Security Mechanisms |url=https://socprime.com/blog/blacklotus-uefi-bootkit-detection-exploits-cve-2022-21894-to-bypass-uefi-secure-boot-and-disables-os-security-mechanisms/ |access-date=2024-03-21 |website=SOC Prime |language=en-US |archive-date=2023-03-31 |archive-url=https://web.archive.org/web/20230331092021/https://socprime.com/blog/blacklotus-uefi-bootkit-detection-exploits-cve-2022-21894-to-bypass-uefi-secure-boot-and-disables-os-security-mechanisms/ |url-status=live }} It is the third known malware UEFI bootkit found.
Infection
Kaspersky has detected the firmware rootkit in only one case so they didn't reveal much about its infection method. It is believed that it had been installed remotely.{{Cite web |last=Paulina |first=Adam |date=2023-11-14 |title=Running Malware Below the OS - The State of UEFI Firmware Exploitation |url=https://www.binarydefense.com/resources/blog/running-malware-below-the-os-the-state-of-uefi-firmware-exploitation/ |access-date=2024-03-21 |website=Binary Defense |language=en-US |archive-date=2023-12-09 |archive-url=https://web.archive.org/web/20231209155806/https://www.binarydefense.com/resources/blog/running-malware-below-the-os-the-state-of-uefi-firmware-exploitation/ |url-status=live }}
The SPI flash memory on the motherboard is the implanting location. CORE_DXE is the firmware laced component which is used during the first phases of the UEFI boot sequence. It hooks EFI Boot Services functions and inject more malware into a svchost.exe process during boot.{{Cite web |date=2022-01-20 |title=MoonBounce: the dark side of UEFI firmware |url=https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ |access-date=2024-03-21 |website=securelist.com |language=en-US |archive-date=2024-02-01 |archive-url=https://web.archive.org/web/20240201213942/https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ |url-status=live }}
It resides on a low level portion of the hard drive. It operates in memory only which makes it undetectable on the HDD.{{Cite web |last=Yurchenko |first=Alla |date=2022-01-25 |title=The Most Refined UEFI Firmware Implant: MoonBounce Detection |url=https://socprime.com/blog/the-most-refined-uefi-firmware-implant-moonbounce-detection/ |access-date=2024-03-21 |website=SOC Prime |language=en-US |archive-date=2023-06-03 |archive-url=https://web.archive.org/web/20230603042448/https://socprime.com/blog/the-most-refined-uefi-firmware-implant-moonbounce-detection/ |url-status=live }}