(Photo by Silas Stein/picture alliance via Getty Images)
A new malware strain that can survive operating system reinstalls was spotted last year secretly hiding on a computer, according to the antivirus provider Kaspersky.
The company discovered the Windows-based malware last spring running on a single computer. How the malicious code infected the system remains unclear. But the malware was designed to operate on the computer’s UEFI firmware, which helps boot up the system.
The malware, dubbed MoonBounce, is especially scary because it installs itself on the motherboard’s SPI flash memory, instead of the computer’s storage drive. Hence, the malware can persist even if you reinstall the computer’s OS or swap out the storage.
“What’s more, because the code is located outside of the hard drive, such bootkits’ activity goes virtually undetected by most security solutions unless they have a feature that specifically scans this part of the device,” Kaspersky said.
The discovery marks the third time the security community has uncovered a UEFI-based malware that’s designed to persist on a computer’s flash memory. The previous two include Lojax, which was found infecting a victim’s computer in 2018, and Mosaic Regressor, which was found on machines belonging to two victims in 2020.
The new strain MoonBounce was designed to retrieve additional malware payloads to be installed on the victim's computer. But according to Kaspersky, the MoonBounce is even more advanced and stealthy because it can use a “previously benign” core component in the motherboard’s firmware to facilitate malware deployment.
“The infection chain itself does not leave any traces on the hard drive, since its components operate in memory only, thus facilitating a fileless attack with a small footprint,” the company added.
Kaspersky didn't name the owner of the infected computer, but the company has uncovered evidence the malicious code is the work of a Chinese state-sponsored group dubbed APT41, which is known for cyberespionage. In 2020, the Justice Department charged five alleged member of the hacking group for breaching over 100 companies, including software and video game developers, to steal source code, customer account data, and other intellectual property.
"MoonBounce has only been found on a single machine. However, other affiliated malicious samples have been found on the networks of several other victims," the company said, a possible sign the malware may be more prevalent than currently known.
Kaspersky discovered MoonBounce because it developed a “firmware scanner,” which can run over its antivirus programs to detect for UEFI tampering. The easiest way to remove MoonBounce from a computer isn't entirely clear. But theoretically, it should be doable by reflashing the SPI memory on the motherboard.
“Removal of UEFI bootkit requires overwriting the SPI flash with benign and verified vendor firmware, either through a designated flashing tool or other methods provided by the vendor itself,” Kaspersky told PCMag. “On top of that, it is advised to check if the underlying platform supports Boot Guard and TPM, and validate those are supported by the new firmware.”
The antivirus provider also recommends keeping the UEFI firmware up-to-date, which can be done through BIOS updates from your motherboard’s manufacturer.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
