![]() This one is made up of implants found in the UEFI firmware within the SPI flash, a non-volatile storage external to the hard drive. While all of the above were seen in use by advanced actors, a different class of bootkits raises even higher concern. The most notable elements of the ESP are the Boot Manager and OS loader, both invoked during the machine’s boot sequence and which also happen to be the subject of tampering in the case of the aforementioned bootkits. The common denominator of those three cases is the fact that the UEFI components targeted for infection reside on the ESP (EFI System Partition), a storage space designated for some UEFI components, typically based in the computer’s hard drive or SSD. Notable examples include the UEFI bootkit used as part of the FinSpy surveillance toolset that we reported on, the work of our colleagues from ESET on the ESPectre bootkit, and a little-known threat activity that was discovered within government organisations in the Middle East, using a UEFI bootkit of its own (briefly mentioned in our APT trends report Q3 2021 and covered in more detail in a private APT report delivered to customers of our Threat Intelligence Portal). In the last year, there have been several public accounts on the ongoing trend of UEFI threats. Revisiting the current state of the art in persistent attacks In this report we describe in detail how the MoonBounce implant works, how it is connected to APT41, and what other traces of activity related to Chinese-speaking actors we were able to observe in the compromised network that could indicate a connection to this threat actor and the underlying campaign. By assessing the combination of the above findings with network infrastructure fingerprints and other TTPs exhibited by the the attackers to the best of our knowledge the intrusion set in question can be attributed to APT41, a threat actor that’s been widely reported to be Chinese-speaking. ![]() We detected other non-UEFI implants in the targeted network that communicated with the same infrastructure which hosted the the stager’s payload.The infection chain itself does not leave any traces on the hard drive, as its components operate in memory only, thus facilitating a fileless attack with a small footprint.The purpose of the implant is to facilitate the deployment of user-mode malware that stages execution of further payloads downloaded from the internet.Due to its emplacement on SPI flash which is located on the motherboard instead of the hard disk, the implant is capable of persisting in the system across disk formatting or replacement.The inspected UEFI firmware was tampered with to embed a malicious code that we dub MoonBounce.Further analysis has shown that a single component within the inspected firmware’s image was modified by attackers in a way that allowed them to intercept the original execution flow of the machine’s boot sequence and introduce a sophisticated infection chain.īy examining the components of the rogue firmware and other malicious artefacts from the target’s network, we were able to reach the following conclusions: ![]() At the end of 2021, we were made aware of a UEFI firmware-level compromise through logs from our Firmware Scanner, which has been integrated into Kaspersky products since the beginning of 2019.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |