Malware that can survive OS reinstalls strikes again, likely for cyber espionage
A new strain of malware that can survive operating system reinstalls was spotted secretly hiding on a computer last year, according to antivirus vendor Kaspersky.
Last spring, the company discovered that the Windows-based malware was running on a single computer. How the malicious code infected the system remains unclear. But the malware was designed to work on the computer’s UEFI firmware, which allows the system to boot.
The malware, dubbed MoonBounce, is particularly scary because it installs itself on the motherboard’s SPI flash memory, instead of the computer’s storage drive. Therefore, the malware may persist even if you reinstall the computer’s operating system or replace the storage.
“Furthermore, because the code is located outside of the hard drive, the activity of these bootkits goes virtually undetected by most security solutions, unless they have a feature that scans specifically this part of the device,” Kaspersky said.
This discovery marks the third time the security community has come across UEFI-based malware designed to persist on a computer’s flash memory. The previous two include Lojax, which was found infecting a victim’s computer in 2018, and Mosaic Regressor, which was found on machines belonging to two victims in 2020.
The new MoonBounce strain was designed to grab additional malware payloads to install on the victim’s computer. But according to Kaspersky, the MoonBounce is even more advanced and stealthy because it can use a “previously benign” core component in the motherboard firmware to help deploy malware.
“The infection chain itself leaves no traces on the hard drive, since its components operate only in memory, facilitating a fileless attack with a small footprint,” the company added.
Kaspersky did not name the owner of the infected computer, but the company has uncovered evidence that the malicious code is the work of a Chinese state-sponsored group called APT41, known for its cyber espionage. In 2020, the Department of Justice charged five alleged members of the hacking group with breaching more than 100 companies, including software and video game developers, to steal source code, customer account data and data. other intellectual properties.
“MoonBounce was only found on one machine. However, other affiliated malicious samples were found on the networks of several other victims,” the company said, a possible sign that the malware could be more widespread than currently known.
Recommended by our editors
Kaspersky discovered MoonBounce because it developed a “firmware scanner”, which can run its antivirus programs to detect UEFI tampering. The easiest way to remove MoonBounce from a computer is not entirely clear. But theoretically it should be doable by reflashing the SPI memory on the motherboard.
“Removing the UEFI bootkit requires overwriting the SPI flash with benign, verified vendor firmware, either through a designated flash tool or through other methods provided by the vendor itself,” Kaspersky told PCMag . “In addition to this, it is advisable to check whether the underlying platform supports Boot Guard and TPM, and validate these are supported by the new firmware.”
The antivirus vendor also recommends keeping the UEFI firmware up to date, which can be done through BIOS updates from your motherboard manufacturer.
Do you like what you read ?
Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.