Security analysts discovered and linked MoonBounce, “the most advancedUEFI firmware implant found in the wild so far at Chinese hacker group APT41 (also known as Winnti).
APT41 is a notorious hacking group that has been active for at least a decade and is primarily known for its stealth cyber espionage operations against high-profile organizations across various industry sectors.
The discovery of moon bounce is the work of Kaspersky researchers, who have published a detailed technical report on their findings.
A sophisticated UEFI implant
UEFI (Unified Extensible Firmware Interface) is a technical specification that allows the operating system (OS) and firmware to be interfaced in computer systems.
Being able to implant malicious code called “UEFI bootkit” in the firmware is a great way to stay hidden from AVs and any security tools working at the operating system level.
This has been done many times before, with two recent examples being the FinFisher malware and the ESPecter backdoor.
Typically, these tools hijack the boot sequence and initialize before the operating system’s security components. They are very persistent because they hide in areas that cannot be erased, such as reserved space on the disk.
In MoonBounce’s case, the implant location is on the motherboard’s SPI flash memory, so even a hard drive replacement can’t root it out.
The laced firmware component is CORE_DXE, which is called during the first phase of the UEFI boot sequence.
“The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI boot services table, namely AllocatePool, CreateEventEx and ExitBootServices,” explains Kaspersky in the report.
“These hooks are used to divert the flow of these functions to malicious shellcode which is added by attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the loader Windows.”
“This multi-step hook chain facilitates the propagation of malicious code from the CORE_DXE image to other boot components during system startup, allowing a malicious driver to be introduced into the memory address space of the Windows kernel.”
This driver runs during OS kernel initialization and injects the malware into a svchost.exe process. The malware has fully initialized as soon as the computer is operational.
Then it communicates with a hard-coded C2 URL and attempts to fetch the payload for the next step, which will run in memory.
Kaspersky was unable to retrieve this payload to analyze it or determine how exactly the actors infected the UEFI firmware in the first place.
Campaign targets and objectives
Telemetry data reveals that these attacks were highly targeted, and Kaspersky detected the firmware rootkit in only one instance.
However, Kaspersky found several malware samples and loaders on other machines on the same network, but these were non-UEFI implants.
Examples include the Microcin backdoor, Mimikat credential stealer, Go implant, StealthMutant loader, and ScrambleCross malware.
As for who was targeted, the security firm mentions an organization controlling several companies involved in transportation technology.
The main objective of the adversaries was to establish themselves permanently in the network and to carry out cyber espionage by exfiltrating valuable data to the C2 server.
In this context, APT41 operators performed analytical reconnaissance of the network and moved laterally when possible while erasing traces of their malicious activity.
APT41 still going strong
Kaspersky has found extensive evidence linking MoonBounce to APT41, ranging from the deployment of the ScrambleCross malware itself to unique certificates retrieved from its C2 servers that match previous FBI reports on APT41 activity.
While the US Department of Justice identified and charged five APT41 members in September 2020, the existence of MoonBounce and the operation surrounding it proves that threat actors have not been deterred by the judicial pressure.
APT41 remains a sophisticated threat actor that can develop evasion tools that bypass even the most impenetrable corporate networks.
As UEFI threats become increasingly popular, Kaspersky advises taking the following steps to defend against attackers using MoonBounce or similar malware:
- Enable secure boot by default
- Regularly update the firmware
- Check that BootGuard is enabled
- Enable Trusted Platform Modules