Security researchers have discovered and linked the MoonBounce firmware to the APT41 hacker group, which is a Chinese-speaking organization that has been infecting computers with various malware. Researchers at Kaspersky called it “the most advanced” UEFI firmware implant found so far.
The Advanced Penetration Techniques 41 group (APT41) is a notorious hacker organization that has been active for over a decade. It is known for carrying out cyberespionage operations against organizations in various industries.
Kaspersky researchers who discovered MoonBounce published a detailed technical report on it.
UEFI (Unified Extensible Firmware Interface) is a technical specification that enables the operation of various firmware in a computer system.
Being able to install a modified UEFI bootkit in a firmware is an excellent way to hide malicious code from the system’s security tools.
“The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx, and ExitBootServices,” explains Kaspersky in the report. “Those hooks are used to divert the flow of these functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader.”
The multistage chain of the MoonBounce malware allows the propagation of malicious code to other boot components and introduction of a malicious driver to the memory address space of the Windows kernel.
The driver runs during the OS kernel’s startup and injects the malware into a svchost.exe process. Once fully loaded, the malware communicates with a hardcoded C2 URL address and fetches additional payloads.
The security firm could not retrieve the payload to investigate it. As for the victims, it only referred to an organization that deals with transportation technology.
According to researchers, the main goal of the attackers was to establish a foothold within the organization and conduct espionage operations by stealing valuable data.
After analyzing the details of the MoonBounce attack and finding plenty of evidence, the security firm linked it to APT41, which is known to have been carrying out espionage operations.
In September 2020, the US Department of Justice announced that it had charged five individuals associated with the APT group. However, MoonBounce operations prove that despite the legal pressure applied against them, the attackers still have the ability to infiltrate even the most secure corporate networks.