Security researchers have unveiled MoonBounce, a custom UEFI firmware implant used in targeted attacks.
The implant is believed to be the work of APT41, a Chinese-speaking sophisticated hacking group also known as Winnti or Double Dragon.
On January 20, Kaspersky researchers said that at the end of last year, the team uncovered a case of Unified Extensible Firmware Interface (UEFI) compromise caused by the modification of one component in the firmware – a core element called SPI flash, located on the motherboard.
“Due to its emplacement on SPI flash which is located on the motherboard instead of the hard disk, the implant is capable of persisting in the system across disk formatting or replacement,” the team noted.
Not only did the tweak to the firmware result in persistence at a level that is extremely difficult to remove, the team says that the firmware image was “modified by attackers in a way that allowed them to intercept the original execution flow of the machine’s boot sequence and introduce a sophisticated infection chain.”
The developer of the MoonBounce UEFI rootkit is said to have a deep and thorough understanding of how UEFI systems work.
“The source of the infection starts with a set