The Most Refined UEFI Firmware Implant: MoonBounce Detection
Table of contents:
A newly minted UEFI firmware malicious implant dubbed “MoonBounce” is ravaging in the wild. The threat is believed to be the handiwork of a Chinese-speaking APT41 hacking gang, aka Double Dragon or Winnti. This UEFI rootkit is set out to cause a stir, having already obtained the title of the most stealthy of all the previous attacks of this kind. The fact that it is run by the notorious APT41 that allegedly has government ties does not soft-pedal the situation for security professionals either.
Reported Attacks Like MoonBounce
MoonBounce is the third widely known malware delivery through UEFI bootkit found in the wild. Its predecessors, notorious samples tagged LoJax and MosaicRegressor, have proven their dangerous potential as highly efficient tools for cyberattacks’ swift and hardly traceable implementation. First of all, an intro on UEFI in a nutshell. The abbreviation stands for Unified Extensible Firmware Interface, which is a modern-day technology embedded within chips placed on a motherboard. Designed to replace the legacy BIOS (whilst still compatible with it), UEFI addresses a number of its limitations and is commonly used to facilitate the machine’s boot sequence and load the operating system. UEFI has got on adversaries’ radars as a very lucrative target that allows for highly persistent attacks.
Novice MoonBounce marks a significant milestone in an UEFI rootkit evolution, coming with a thoroughly thought-through kill chain and compelling execution flow. On the bright side, this type of infection is rather targeted, and with the proper security tools and strategy, it can be protected against.
MoonBounce Execution
Discovered by threat hunters at Kaspersky Lab in 2021, this advanced hard-to-detect malware is known to function in the SPI flash memory of the targeted device. Successful planting enables threat actors to lay their hands on the infected machine’s boot flow sequence, adding harmful modifications to legitimate UEFI firmware. A MoonBounce-infected machine has an implant that persists in a drive format and operates in memory only, thus becoming untraceable on the HDD. The infection chain leads to the malware injection into a svchost.exe process upon the computer’s boot into the OS. As a result, the malicious code is deployed, enabling hackers to drop and execute additional payloads.
Being able to execute malicious code at such an early phase of the initialization process spells great news for the dark side, aka hackers. Given the absence of any efficient prevention solution that runs at that level, such as an antivirus or intrusion detection software, they get a head start once in the system.
MoonBounce Attack Detection and Mitigation
As this novel stealthy threat moonwalks its path to compromising UEFI firmware, we encourage organizations to arm and look for anomalies proving they have been compromised to protect themselves from unauthorized writes to system SPI flash memory. To identify possible attacks and remediate a UEFI firmware-based compromise, opt for downloading a batch of free Sigma rules. The content was released by our keen Threat Bounty developers Emir Erdogan, Kaan Yeniyol, Kyaw Pyiyt Htet, and the SOC Prime Team.
APT41 StealthMutant Loader Detection (via Cmdline)
Detect StealthMutant Loader (MoonBounce Attack)
Detect MoonBounce Malware in UEFI Firmware (via Scheduled Task Event)
MoonBounce Firmware Bootkit Network Indicators (via dns)
MoonBounce Firmware Bootkit Network Indicators (via proxy)
These detections have translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Chronicle Security, LimaCharlie, SentinelOne, Microsoft Defender ATP, CrowdStrike, Apache Kafka ksqlDB, Carbon Black, Securonix, and Open Distro.
The full list of MoonBounce detections in the Threat Detection Marketplace repository of the SOC Prime platform is available here.
Sign up for free at SOC Prime’s Detection as Code platform to detect the latest threats within your security environment, improve log source and MITRE ATT&CK coverage, and overall, boost the organization’s cyber defense capabilities. Got high-flying ambitions in cybersecurity? Join our Threat Bounty program, develop your own Sigma rules, and get recurrent rewards for your valuable contribution!
