Chinese APT deploys MoonBounce implant in UEFI firmware:
Security researchers have unveiled MoonBounce, a custom UEFI firmware implant used in targeted attacks.
The implant is believed to be the work of APT41, a Chinese-speaking sophisticated hacking group also known as Winnti or Double Dragon.
On January 20, Kaspersky researchers said that at the end of last year, the team uncovered a case of Unified Extensible Firmware Interface (UEFI) compromise caused by the modification of one component in the firmware – a core element called SPI flash, located on the motherboard.
"Due to its emplacement on SPI flash which is located on the motherboard instead of the hard disk, the implant is capable of persisting in the system across disk formatting or replacement," the team noted.
Not only did the tweak to the firmware result in persistence at a level that is extremely difficult to remove, the team says that the firmware image was "modified by attackers in a way that allowed them to intercept the original execution flow of the machine's boot sequence and introduce a sophisticated infection chain."
The developer of the MoonBounce UEFI rootkit is said to have a deep and thorough understanding of how UEFI systems work.
"The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx and ExitBootServices," the researchers explained. "Those hooks are used to divert the flow of these functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader."
(Score: 0) by Anonymous Coward on Monday January 24 2022, @05:39PM
The original SPI flash chips up to around 512K *HAD* a write-lock pin on them. Either due to a defective stepping of intel southbridge (strapping the pin on.) or a defective SPI (Winbond or Macrontix I believe) they starting using the pin as a softstrap instead requiring a command to be sent to the chip in order to write-lock it. As you can imagine there were ways to trip a power cycle at which point the write lock was disabled until the read-lock command was sent again...
Sounded pretty janky at the time and it has only gotten worse as the years have passed. It is really time for 'the rest of us' to desolder those shitty spi chips and put a daughtercard there, with a microcontroller that can spoof read/writes to the system and thus be able to be set read only while also checking if a malware image upload attempted to take place. Cheap ones can be done for 10 dollars or less in quantity with all kinds of cool options like supporting segmented bios memory with compatible (say, coreboot) images and some command stream magic to switch banks for larger memory payloads. Hell if you wanted to be ambitious you could put a microsd card on the spi daughterboard and have arbitrary 'bios' images up to whatever size you wanted. Slow but secured by your own microcontroller and capable of bootstrapping any data you want into ram. I'm sure someone has already done similar inside of an SPI chip for clandestine purposes.