Chinese APT deploys MoonBounce implant in UEFI firmware:
Security researchers have unveiled MoonBounce, a custom UEFI firmware implant used in targeted attacks.
The implant is believed to be the work of APT41, a Chinese-speaking sophisticated hacking group also known as Winnti or Double Dragon.
On January 20, Kaspersky researchers said that at the end of last year, the team uncovered a case of Unified Extensible Firmware Interface (UEFI) compromise caused by the modification of one component in the firmware – a core element called SPI flash, located on the motherboard.
"Due to its emplacement on SPI flash which is located on the motherboard instead of the hard disk, the implant is capable of persisting in the system across disk formatting or replacement," the team noted.
Not only did the tweak to the firmware result in persistence at a level that is extremely difficult to remove, the team says that the firmware image was "modified by attackers in a way that allowed them to intercept the original execution flow of the machine's boot sequence and introduce a sophisticated infection chain."
The developer of the MoonBounce UEFI rootkit is said to have a deep and thorough understanding of how UEFI systems work.
"The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx and ExitBootServices," the researchers explained. "Those hooks are used to divert the flow of these functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader."
(Score: 0, Redundant) by Mockingbird on Sunday January 23 2022, @12:14AM (6 children)
As usual, there is a simple solution: do not load Windows. Install Linux, or BSD, instead.
(Score: 0) by Anonymous Coward on Sunday January 23 2022, @01:27AM (4 children)
Linux or BSD...
Too late if the motherboard already has been compromised. Landfill and replace. And hopefully the new one, made in China, doesn't arrive with the malware preloaded...
(Score: 2) by RamiK on Sunday January 23 2022, @01:49AM
You can get a usb eeprom / spi / bios programmer under $10 over at amazon... $15 for one with a soic8 adapter... $25 for low-voltage chips support...
Comes in handy if you're using UBU [win-raid.com] to update microcode and such on out-of-service boards and something didn't go right.
compiling...
(Score: 1, Insightful) by Anonymous Coward on Sunday January 23 2022, @07:03AM (2 children)
Do you seriously think that there are "hooks" into Unix bootloaders? I guess we do not understand computers, do we? Of course, Windows motherboards arrive with malware preloaded, to give access to american intel agencies. it is called "Windows loader".
(Score: 0) by Anonymous Coward on Sunday January 23 2022, @07:56AM
Yes. No, you don't.
(Score: 3, Touché) by maxwell demon on Sunday January 23 2022, @08:26AM
Just start the Linux kernel with the kernel command line parameter init=/my/malware. Should be easy to do if you control the boot process before Linux even loads.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 5, Insightful) by Anonymous Coward on Sunday January 23 2022, @02:26AM
It can be just as easily accomplished with any host OS like Linux. This results from a fundamental security problem with UEFI in it can be manipulated by bad code at the Host OS level, and also it has control over the Host OS, so basically once its corrupted it is hard to get rid of from the level of Host OSs. UEFI should not be there or at least it should be loaded from from a SD card which can be replaced.