MoonBounce
   HOME

TheInfoList



Click Here for Items Related To - MoonBounce
OR:
MoonBounce on:   [Wikipedia]   [Google]   [Amazon]

MoonBounce is a
UEFI Unified Extensible Firmware Interface (UEFI, as an acronym) is a Specification (technical standard), specification for the firmware Software architecture, architecture of a computing platform. When a computer booting, is powered on, the UEFI ...
firmware-based rootkit. It is linked to the Chinese
APT41 Double Dragon is a hacker group with alleged ties to the Chinese Ministry of State Security (MSS). Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to ...
hacker group. MoonBounce was discovered by the researchers at
Kaspersky Kaspersky Lab (; ) is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and A ...
in 2021. It can disable Windows security tools and bypass
User Account Control User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed
. The data shows that the attacks are highly targeted. It is a landmark in a UEFI rootkit evolution. It is the third known malware UEFI bootkit found.


Infection

Kaspersky has detected the
firmware In computing Computing is any goal-oriented activity requiring, benefiting from, or creating computer, computing machinery. It includes the study and experimentation of algorithmic processes, and the development of both computer hardware, h ...
rootkit in only one case so little was discovered in regards to the way the rootkit is supposed to spread. It is believed that it had been installed remotely. The SPI
flash memory Flash memory is an Integrated circuit, electronic Non-volatile memory, non-volatile computer memory storage medium that can be electrically erased and reprogrammed. The two main types of flash memory, NOR flash and NAND flash, are named for t ...
on the motherboard is the implanting location. CORE_DXE is the firmware laced component which is used during the first phases of the UEFI boot sequence. It hooks EFI Boot Services functions and inject more malware into a
svchost.exe Svchost.exe (Service Host, or SvcHost) is a system process that can host one or more Windows services in the Windows NT family of operating systems. Svchost is essential in the implementation of ''shared service processes'', where a number of ser ...
process during boot. It resides on a low level portion of the hard drive. It operates in memory only which makes it undetectable on the HDD.{{Cite web , last=Yurchenko , first=Alla , date=2022-01-25 , title=The Most Refined UEFI Firmware Implant: MoonBounce Detection , url=https://socprime.com/blog/the-most-refined-uefi-firmware-implant-moonbounce-detection/ , access-date=2024-03-21 , website=SOC Prime , language=en-US , archive-date=2023-06-03 , archive-url=https://web.archive.org/web/20230603042448/https://socprime.com/blog/the-most-refined-uefi-firmware-implant-moonbounce-detection/ , url-status=live


References

Malware toolkits Malware Firmware Rootkits