Moonbounce is a persistent malware that can survive drive formats and OS reinstalls

Jan 25, 2022

A new malware has been making the headlines over the past few days. The rootkit, that has been identified as Moonbounce, is a persistent malware that can survive drive formats and OS reinstalls.

Moonbounce is a persistent malware that can survive drive formats and OS reinstalls

This is not a regular trojan or virus that impacts Windows, it is a sophisticated bootkit that targets your motherboard's firmware, United Extensible Firmware Interface, commonly abbreviated as UEFI. This allows the malware to survive changes made to the hard drive or operating system. Your motherboard has its own storage chip called a flash memory. This SPI flash contains the software required to start and communicate with the rest of the hardware.

Image courtesy Pexels

A report by Kaspersky says that the Moonbounce malware was created by a hacker group called APT41. CSOOnline reports that the group is suspected to have ties with the Chinese government. The notorious cyberespionage group has also been involved in cybercrime campaigns around the world for a decade. The Russian antivirus maker notes that the firmware bootkit was first spotted in Spring 2021, and that it is more advanced than the 2 previous malware of its kind, LoJax and MosaicRegressor. That said the new malware has only been found once so far.

Note: Many people, and even OEMs refer to the UEFI as BIOS, while they're technically and functionally different, the latter is the more popular term since it has been around for longer. Call it what you will, but both terms relate to the interface used to access and modify the motherboard's firmware settings.

How does Moonbounce gain access to the UEFI?

Moonbounce targets the CORE_DXE in the firmware, and runs when the UEFI boot sequence is started. The malware then intercepts certain functions to implant itself in the operating system, and phones home to a command and control server. This then results in a malicious payload being delivered remotely, to neutralize the system's security.

The attack takes place when a firmware component is modified by the malware. The hackers can use it to spy on users, archive files, gather network information, etc. Interestingly, Kaspersky's report mentions that it was unable to trace the infection on the hard drive, meaning it ran in the memory without relying on files.

UEFI rootkits can be tricky to remove since antivirus programs are ineffective outside the operating system, but it is not impossible to remove such infections from the motherboard.

How to prevent UEFI rootkits?

There are a few simple ways to prevent UEFI malware such as Moonbounce, the first step is to enable Secure Boot. Could this be the reason why Microsoft made TPM 2.0 a requirement for Windows 11? Here's a relevant video where a Microsoft Security Expert outlines the importance of UEFI, Secure Boot, TPM, etc., and how they are effective in combating malware. Adding a password to access the UEFI will block unauthorized firmware updates, thus giving you an extra layer of protection. If you hadn't enabled secure boot or a password, i.e., if everything goes south, you can always reflash the UEFI to get rid of the pesky malware. Tip courtesy: reddit

Go to your motherboard (or laptop) manufacturer's website and search for the specific model that you have, check if it has an updated version that you can flash. Double-check the information to see if the motherboard model matches the one given on the website, because flashing the wrong firmware can brick your system. You should also avoid using driver updater programs, and instead rely on Windows Updates and your vendor's site to keep the drivers up-to-date.

What is the Moonbounce malware?
Article Name
What is the Moonbounce malware?
What is the Moonbounce malware? And how can you protect yourself against it?
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Tom said on January 27, 2022 at 8:09 am

    Is it possible to activate secure boot after the OS (windows 10), has been installed?

  2. Yuliya said on January 26, 2022 at 12:31 pm

    UEFI was a mmistake. The OS running on the machine has far too much access to the UEFI.

  3. LifeHack said on January 26, 2022 at 8:22 am

    So we are now at a point where good security practices should include removing your motherboard battery and rewriting your BIOS/UEFI on a regular basis. Might as well boil your computer while you’re at it.. Just keep a hundred different backups of your files, store them in 85 different countries and throw away your computers after every use. That’ll fix it.

  4. PrivacyGeek said on January 26, 2022 at 7:23 am

    If China is really behind this. you are more likely to get this if you use Opera Browser.

    1. Anonymous said on February 6, 2022 at 10:14 am

      Wow, now we know who;s the brightest bulb in the room.

  5. Tachy said on January 26, 2022 at 6:18 am

    Just an FYI.

    I have an older MSI Z87 Mboard with a Gen 4 I7 intel and secure boot was not on. Before I could enable it I had to enable fastboot in the advanced > window 8 features, then reboot and go back into the bios so the correct video options where available.

    Once back in I had to select “Secure Boot Custom Mode” to get the keys option to show up. Then I could install the default keys. Then I backed out and was able to set secure boot in default mode. I set a password to enter the bios once the rest was working.

    OFC, none of this will work unless your system drive uses GPT instead of MBR. If it doesn’t and you need to convert it, ignore all the ads for 3rd party crapware and find a guide to do it with mbr2gpt.exe.

    I can’t add anything about TPM as my MBoard doesn’t have it. Thisautomatically blocks install of windows 11 so It’s not an issue for me ;)

  6. Anonymous said on January 26, 2022 at 1:17 am

    there were times when a simple write protection switch for bioschips was all you need, but obviously ‘too expensive’ or not in the interest of the manufacturer..

    1. Sol Shine said on January 26, 2022 at 10:17 am

      Indeed a writeprotection switch is a simple solution. Too bad most usb sticks do not have them.
      Like others have said, new tech is making your computer less secure.

      Microsoft did their share by letting OEMs like Lenovo add advertising malware to the Windows Platform Binary Table” (WPBT) section of the UEFI firmware.

  7. Hitman said on January 26, 2022 at 12:55 am

    What a good pretext to advertise the garbage, invasive and tyrannyzing TPM… Right on time for Micro$oft and their “friends”…

    1. Piper Stuart said on January 27, 2022 at 1:01 am

      Lol Linux bros and their conspiracies about Secure Boot and Microsoft not supporting open source and Linux. Maybe complain that Linux hasn’t supported something that’s 13 years old.

  8. Joe B said on January 25, 2022 at 10:21 pm

    There is another malware that is similar to this, called FinSpy aka Windbird aka Finfisher. It will infect UEFI and MBR with either Windows, Linux or MacOS. -Per ‘SecureList by Kaspersky’ website.

  9. Andy Prough said on January 25, 2022 at 6:04 pm

    I’m assuming from what I’ve read about this so far that it would only effect Windows systems with UEFI, not Linux systems with UEFI. I’d be interested to know if I’m wrong on that point.

    1. Anonymous said on January 25, 2022 at 10:05 pm

      If you write malware for a living, you want reward for effort. You attack the large targets, which have more ‘low hanging fruit’. One of the security advantages of Linux is its relative unpopularity compared to Windows. If OS uptake figures were reversed, Linux would be the target.

      That doesn’t mean using this in Linux is out. Starting before the OS and disabling malware means anything goes.

  10. Glozzy Osbourne said on January 25, 2022 at 6:02 pm

    Just use an old computer with BIOS =)

  11. TREE said on January 25, 2022 at 4:52 pm

    So glad I have Windows 7. No UEFI. Less telemetry spying on me by Microsoft as well!

    1. Ben said on January 26, 2022 at 4:27 am

      Windows 7 has no bearing on whether or not your system has UEFI or not.

    2. Anonymous said on January 26, 2022 at 1:42 am

      Proud user of Windows 7 on my 11-year-old Dell computer. Still running like new with couple upgrades over the years.

    3. FanboyKilla said on January 25, 2022 at 10:13 pm

      ~20 years ago, newer was almost always better. These days, newer is almost always worse.

    4. Anonymous said on January 25, 2022 at 9:58 pm

      … and no updates to protect the operating system. I’d rather risk the almost non existent

      Your machine may not get MoonBounce but there are a lot of other things it is susceptible to.

      1. TREE said on January 27, 2022 at 9:59 pm

        We are none of us safe when connected to the web. All kind of bad guys want what they think we have. I get a lot of URGENT! emails and texts are filling up with them, too. Microsoft cannot protect me from all of them. Even the Defense Department gets hacked. Have you heard of the “Cyberpatriots” program?

      2. jESUs said on January 26, 2022 at 8:18 am

        You do realize there are hundreds of millions of Windows 7 users that have figured out how to be part of the ESU program and still receive security updates until january 2023, right? Your smug comment is funny though.

      3. Ray Mckee said on January 27, 2022 at 12:54 am

        And you think something like this wouldn’t happen to Windows 7 regardless especially after it’s EOL

  12. Sean said on January 25, 2022 at 2:14 pm

    Is it coreboot – seaBIOS compatible? ;)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.