MoonBounce: New malware deployed by APT41 in UEFI firmware
MoonBounce: New malware deployed by APT41 in UEFI firmware
THREAT LEVEL: Red.
For a detailed advisory, download the pdf file here.
MoonBounce is a new type of malware that hides in the most complex part of an Operating System (OS), the Basic Input Output System (BIOS) chip, and thus persists even after reinstalling your OS or formatting your hard drive.
MoonBounce is the most advanced malware up till today that implants malicious code into the motherboard’s Serial Peripheral Interface (SPI) Flash and has a complicated attack surface as well as greater technical sophistication. It can also execute remotely. MoonBounce belongs to the famous Chinese actor APT41.
Organizations are recommended to take these actions: •Keep UEFI firmware updated directly from the manufacturer, •Verify that BootGuard is enabled when available •Enable Trust Platform Modules •Run regular scans on system firmware for issues
The TTPs used by MoonBounce includes:
TA0040 – Impact
TA0009 – Collection
TA0006 – Credential Access
TA0002 – Execution
TA0005 – Defense Evasion
TA0004 – Privilege Escalation
TA0011 – Command and Control
TA0007 – Discovery
TA0008 – Lateral Movement
T1495 – Firmware Corruption
T1056 – Input Capture
T1059 – Command and Scripting Interpreter
T1014 – Rootkit
T1055 – Process Injection
T1496 – Resource Hijacking
T1102 – Web Service
T1049 – System Network Connections Discovery
T1007 – System Service Discovery
T1021 – Remote Services
T1047 – Windows Management Instrumentation
T1070 – Indicator Removal on Host T1140 – Deobfuscate/Decode Files or Information
Vulnerability Details
Indicators of Compromise (IoCs)
References
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
