A new malware has been making the headlines over the past few days. The rootkit, that has been identified as Moonbounce, is a persistent malware that can survive drive formats and OS reinstalls.
This is not a regular trojan or virus that impacts Windows, it is a sophisticated bootkit that targets your motherboard’s firmware, United Extensible Firmware Interface, commonly abbreviated as UEFI. This allows the malware to survive changes made to the hard drive or operating system. Your motherboard has its own storage chip called a flash memory. This SPI flash contains the software required to start and communicate with the rest of the hardware.
Image courtesy Pexels
A report by Kaspersky says that the Moonbounce malware was created by a hacker group called APT41. CSOOnline reports that the group is suspected to have ties with the Chinese government. The notorious cyberespionage group has also been involved in cybercrime campaigns around the world for a decade. The Russian antivirus maker notes that the firmware bootkit was first spotted in Spring 2021, and that it is more advanced than the 2 previous malware of its kind, LoJax and MosaicRegressor. That said the new malware has only been found once so far.
Note: Many people, and even OEMs refer to the UEFI as BIOS, while they’re technically and functionally different, the latter is the more popular term since it has been around for longer. Call it what you will, but both terms relate to the interface used to access and modify the motherboard’s firmware settings.
How does Moonbounce gain access to the UEFI?
Moonbounce targets the CORE_DXE in the firmware, and runs when the UEFI boot sequence is started. The malware then intercepts certain functions to implant itself in the operating system, and phones home to a command and control server. This then results in a malicious payload being delivered remotely, to neutralize the system’s security.
The attack takes place when a firmware component is modified by the malware. The hackers can use it to spy on users, archive files, gather network information, etc. Interestingly, Kaspersky’s report mentions that it was unable to trace the infection on the hard drive, meaning it ran in the memory without relying on files.
UEFI rootkits can be tricky to remove since antivirus programs are ineffective outside the operating system, but it is not impossible to remove such infections from the motherboard.
How to prevent UEFI rootkits?
There are a few simple ways to prevent UEFI malware such as Moonbounce, the first step is to enable Secure Boot. Could this be the reason why Microsoft made TPM 2.0 a requirement for Windows 11? Here’s a relevant video where a Microsoft Security Expert outlines the importance of UEFI, Secure Boot, TPM, etc., and how they are effective in combating malware. Adding a password to access the UEFI will block unauthorized firmware updates, thus giving you an extra layer of protection. If you hadn’t enabled secure boot or a password, i.e., if everything goes south, you can always reflash the UEFI to get rid of the pesky malware. Tip courtesy: reddit
Go to your motherboard (or laptop) manufacturer’s website and search for the specific model that you have, check if it has an updated version that you can flash. Double-check the information to see if the motherboard model matches the one given on the website, because flashing the wrong firmware can brick your system. You should also avoid using driver updater programs, and instead rely on Windows Updates and your vendor’s site to keep the drivers up-to-date.