Pierluigi Paganini January 21, 2022

Researchers have spotted China-linked APT41 cyberespionage group using a UEFI implant, dubbed MoonBounce, to maintain persistence.

Kaspersky researchers spotted the China-linked APT41 cyberespionage group using a UEFI implant, dubbed MoonBounce, to maintain persistence.

At the end of 2021, researchers discovered a UEFI firmware-level compromise by analyzing logs from its Firmware Scanner.

Threat actors compromised a single component within the firmware image to intercept the original execution flow of the machine’s boot sequence and inject the sophisticated implant.

UEFI implants like MoonBounce allow attackers to achieve persistence on the target system that is resilient to disk formatting or replacement. In the case of MoonBounce, the bootkit is implanted on the SPI flash memory of the motherboard. A UEFI bootkit implanted in the firmware could not be detected by AVs and any defense solution running on the OS level.

“The purpose of the implant is to facilitate the deployment of user-mode malware that stages execution of further payloads downloaded from the internet;” reads the analysis published by Kaspersky. “The infection chain itself does not leave any traces on the hard drive, as its components operate in memory only, thus facilitating a fileless attack with a small footprint;”

The attackers incorporated the UEFI implant into the CORE_DXE component of the firmware (aka the DXE Foundation), which is invoked early on at the DXE (Driver Execution Environment) phase of the UEFI boot sequence. 

The infection leverages a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx and ExitBootServices. Attackers used these hooks to hijack the flow of these functions to malicious shellcode and append them to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot sequence (Windows loader).

“This multistage chain of hooks facilitates the propagation of malicious code from the CORE_DXE image to other boot components during system startup, allowing the introduction of a malicious driver to the memory address space of the Windows kernel.” continues the analysis. “This driver, which runs during the initial phases of the kernel’s execution, is in charge of deploying user-mode malware by injecting it into an svchost.exe process, once the operating system is up and running.”

The UEFI implant used by APT41 is to deploy additional user-mode malware used to execute further payloads downloaded from C2 infrastructure.

Kaspersky pointed out that the attack that investigated is fileless, this means that it does not leave any traces on the hard drive and its components only operate in memory.

The researchers spotted other non-UEFI implants in the network targeted with the MoonBounce that were communicating with the same infrastructure that hosted the staging payload.

The researchers explained that the MoonBounce UEFI bootkit was employed in a very targeted attack, the sophisticated malware was detected in a single case.

“We traced some of the commands executed by the attackers after gaining a foothold in the network, which point to lateral movement and exfiltration of information from particular machines. This aligns in profile with some of the previous operations by APT41, wherein intrusions were typically made to intervene in the targeted companies’ supply chain, or to heist sensitive intellectual property and personally identifiable information.” continues the report. “The usage of the UEFI implant in particular indicates the actor’s aim to establish a longstanding foothold within the network, as would be expected in an ongoing espionage activity.”

The c is the third publicly documented case of firmware rootkit used in attacks in the wild, previous attacks leveraging this family of malware were related to the FinSpy surveillance spyware tool and a cyber espionage campaign uncovered by ESET that were spreading the ESPecter bookit.

“MoonBounce marks a particular evolution in this group of threats by presenting a more complicated attack flow in comparison to its predecessors and a higher level of technical competence by its authors, who demonstrate a thorough understanding of the finer details involved in the UEFI boot process,” Kaspersky concludes.

In order to prevent such kinds of attacks Kaspersky recommends regularly updating UEFI firmware, verifying that BootGuard, where applicable, is enabled, and enabling Trust Platform Modules and deployment of a security product that is able to inspect the firmware images.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, MoonBounce)

[adrotate banner=”5″]

[adrotate banner=”13″]