A new windows based malware strain that can survive operating system reinstalls was spotted last year secretly hiding on a computer, according to the antivirus provider Kaspersky.
The company discovered the Windows-based malware last spring running on a single computer. How the malicious code infected the system remains unclear. But the malware was designed to operate on the computer’s UEFI firmware, which helps boot up the system.
The malware, dubbed MoonBounce, is especially scary because it installs itself on the motherboard’s SPI flash memory, instead of the computer’s storage drive. Hence, the malware can persist even if you reinstall the computer’s OS or swap out the storage.
“What’s more, because the code is located outside of the hard drive, such bootkits’ activity goes virtually undetected by most security solutions unless they have a feature that specifically scans this part of the device,” Kaspersky said.
The discovery marks the third time the security community has uncovered a UEFI-based malware that’s designed to persist on a computer’s flash memory. The previous two include Lojax, which was found infecting a victim’s computer in 2018, and Mosaic Regressor, which was found on machines belonging to two victims in 2020.
The new strain MoonBounce was designed to retrieve additional malware payloads to be installed on the victim’s computer. But according to Kaspersky, the MoonBounce is even more advanced and stealthy because it can use a “previously benign” core component in the motherboard’s firmware to facilitate malware deployment.
“The infection chain itself does not leave any traces on the hard drive, since its components operate in memory only, thus facilitating a fileless attack with a small footprint,” the company added.
Kaspersky didn’t name the owner of the infected computer, but the company has uncovered evidence the malicious code is the work of a Chinese state-sponsored group dubbed APT41, which is known for cyberespionage. In 2020, the Justice Department charged five alleged members of the hacking group for breaching over 100 companies, including software and video game developers, to steal source code, customer account data, and other intellectual property.
“MoonBounce has only been found on a single machine. However, other affiliated malicious samples have been found on the networks of several other victims,” the company said, a possible sign the malware may be more prevalent than currently known.
Kaspersky discovered MoonBounce because it developed a “firmware scanner,” which can run over its antivirus programs to detect for UEFI tampering. The easiest way to remove MoonBounce from a computer isn’t entirely clear. But theoretically, it should be doable by reflashing the SPI memory on the motherboard.
“Removal of UEFI bootkit requires overwriting the SPI flash with benign and verified vendor firmware, either through a designated flashing tool or other methods provided by the vendor itself,” Kaspersky told PCMag. “On top of that, it is advised to check if the underlying platform supports Boot Guard and TPM, and validate those are supported by the new firmware.”
The antivirus provider also recommends keeping the UEFI firmware up-to-date, which can be done through BIOS updates from your motherboard’s manufacturer.
You may also enjoy reading, Why did Putin Pwn Russian Cyber gang REvil?
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
43,657 total views, 2 views today