Moonbounce is a persistent malware that can survive drive formats and OS reinstalls
A new malware has been making the headlines over the past few days. The rootkit, that has been identified as Moonbounce, is a persistent malware that can survive drive formats and OS reinstalls.
This is not a regular trojan or virus that impacts Windows, it is a sophisticated bootkit that targets your motherboard's firmware, United Extensible Firmware Interface, commonly abbreviated as UEFI. This allows the malware to survive changes made to the hard drive or operating system. Your motherboard has its own storage chip called a flash memory. This SPI flash contains the software required to start and communicate with the rest of the hardware.
Image courtesy Pexels
A report by Kaspersky says that the Moonbounce malware was created by a hacker group called APT41. CSOOnline reports that the group is suspected to have ties with the Chinese government. The notorious cyberespionage group has also been involved in cybercrime campaigns around the world for a decade. The Russian antivirus maker notes that the firmware bootkit was first spotted in Spring 2021, and that it is more advanced than the 2 previous malware of its kind, LoJax and MosaicRegressor. That said the new malware has only been found once so far.
Note: Many people, and even OEMs refer to the UEFI as BIOS, while they're technically and functionally different, the latter is the more popular term since it has been around for longer. Call it what you will, but both terms relate to the interface used to access and modify the motherboard's firmware settings.
How does Moonbounce gain access to the UEFI?
Moonbounce targets the CORE_DXE in the firmware, and runs when the UEFI boot sequence is started. The malware then intercepts certain functions to implant itself in the operating system, and phones home to a command and control server. This then results in a malicious payload being delivered remotely, to neutralize the system's security.
The attack takes place when a firmware component is modified by the malware. The hackers can use it to spy on users, archive files, gather network information, etc. Interestingly, Kaspersky's report mentions that it was unable to trace the infection on the hard drive, meaning it ran in the memory without relying on files.
UEFI rootkits can be tricky to remove since antivirus programs are ineffective outside the operating system, but it is not impossible to remove such infections from the motherboard.
How to prevent UEFI rootkits?
There are a few simple ways to prevent UEFI malware such as Moonbounce, the first step is to enable Secure Boot. Could this be the reason why Microsoft made TPM 2.0 a requirement for Windows 11? Here's a relevant video where a Microsoft Security Expert outlines the importance of UEFI, Secure Boot, TPM, etc., and how they are effective in combating malware. Adding a password to access the UEFI will block unauthorized firmware updates, thus giving you an extra layer of protection. If you hadn't enabled secure boot or a password, i.e., if everything goes south, you can always reflash the UEFI to get rid of the pesky malware. Tip courtesy: reddit
Go to your motherboard (or laptop) manufacturer's website and search for the specific model that you have, check if it has an updated version that you can flash. Double-check the information to see if the motherboard model matches the one given on the website, because flashing the wrong firmware can brick your system. You should also avoid using driver updater programs, and instead rely on Windows Updates and your vendor's site to keep the drivers up-to-date.
Is it coreboot – seaBIOS compatible? ;)
So glad I have Windows 7. No UEFI. Less telemetry spying on me by Microsoft as well!
… and no updates to protect the operating system. I’d rather risk the almost non existent
Your machine may not get MoonBounce but there are a lot of other things it is susceptible to.
You do realize there are hundreds of millions of Windows 7 users that have figured out how to be part of the ESU program and still receive security updates until january 2023, right? Your smug comment is funny though.
And you think something like this wouldn’t happen to Windows 7 regardless especially after it’s EOL
We are none of us safe when connected to the web. All kind of bad guys want what they think we have. I get a lot of URGENT! emails and texts are filling up with them, too. Microsoft cannot protect me from all of them. Even the Defense Department gets hacked. Have you heard of the “Cyberpatriots” program?
~20 years ago, newer was almost always better. These days, newer is almost always worse.
Proud user of Windows 7 on my 11-year-old Dell computer. Still running like new with couple upgrades over the years.
Windows 7 has no bearing on whether or not your system has UEFI or not.
Just use an old computer with BIOS =)
I’m assuming from what I’ve read about this so far that it would only effect Windows systems with UEFI, not Linux systems with UEFI. I’d be interested to know if I’m wrong on that point.
If you write malware for a living, you want reward for effort. You attack the large targets, which have more ‘low hanging fruit’. One of the security advantages of Linux is its relative unpopularity compared to Windows. If OS uptake figures were reversed, Linux would be the target.
That doesn’t mean using this in Linux is out. Starting before the OS and disabling malware means anything goes.
There is another malware that is similar to this, called FinSpy aka Windbird aka Finfisher. It will infect UEFI and MBR with either Windows, Linux or MacOS. -Per ‘SecureList by Kaspersky’ website.
What a good pretext to advertise the garbage, invasive and tyrannyzing TPM… Right on time for Micro$oft and their “friends”…
Lol Linux bros and their conspiracies about Secure Boot and Microsoft not supporting open source and Linux. Maybe complain that Linux hasn’t supported something that’s 13 years old.
there were times when a simple write protection switch for bioschips was all you need, but obviously ‘too expensive’ or not in the interest of the manufacturer..
Indeed a writeprotection switch is a simple solution. Too bad most usb sticks do not have them.
Like others have said, new tech is making your computer less secure.
Microsoft did their share by letting OEMs like Lenovo add advertising malware to the Windows Platform Binary Table” (WPBT) section of the UEFI firmware.
Just an FYI.
I have an older MSI Z87 Mboard with a Gen 4 I7 intel and secure boot was not on. Before I could enable it I had to enable fastboot in the advanced > window 8 features, then reboot and go back into the bios so the correct video options where available.
Once back in I had to select “Secure Boot Custom Mode” to get the keys option to show up. Then I could install the default keys. Then I backed out and was able to set secure boot in default mode. I set a password to enter the bios once the rest was working.
OFC, none of this will work unless your system drive uses GPT instead of MBR. If it doesn’t and you need to convert it, ignore all the ads for 3rd party crapware and find a guide to do it with mbr2gpt.exe.
I can’t add anything about TPM as my MBoard doesn’t have it. Thisautomatically blocks install of windows 11 so It’s not an issue for me ;)
If China is really behind this. you are more likely to get this if you use Opera Browser.
Wow, now we know who;s the brightest bulb in the room.
So we are now at a point where good security practices should include removing your motherboard battery and rewriting your BIOS/UEFI on a regular basis. Might as well boil your computer while you’re at it.. Just keep a hundred different backups of your files, store them in 85 different countries and throw away your computers after every use. That’ll fix it.
UEFI was a mmistake. The OS running on the machine has far too much access to the UEFI.
Is it possible to activate secure boot after the OS (windows 10), has been installed?