Kaspersky security experts have issued a statement stating that they have discovered a very dangerous bootkit virus that infects UEFI computer firmware.
What makes the new virus, called MoonBounce, very dangerous is the fact that this malicious software does not behave like other, similar viruses. Namely, the bootkit is a special type of malicious program designed to be inserted into the earliest possible step of booting the system in order to control all stages of OS startup.
MoonBounce is not hiding in a section of the system drive called ESP (EFI System Partition), where the UEFI code is located but infects the integrated SPI flash memory on the motherboard itself. This means that, unlike the classic bootkit virus, if you are infected, it will not help you to reinstall the system, nor to physically replace the hard drive or SSD, because the virus remains in the SPI memory of the board.
The only way to remove this plague is to flash this memory again (a very complex process) or replace the entire motherboard, which in the case of a laptop means buying a new one.
The evolution of bootkit malware
Kaspersky states that MoonBounce is the third UEFI bootkit they have seen so far, which has the ability to infect and reside in the motherboard’s SPI memory. Moreover, it is stated that the researchers found several more UEFI bootkit viruses in the last few months, which means that the attackers are completely used to replacing the BIOS with a UEFI section and making the most of all its potential weaknesses.
MoonBounce is linked to the Chinese APT41 group of hackers
MoonBounce is used to gain access to an infected computer and run secondary malicious software that has the ability to manipulate most computer parameters – from data to control individual components of both hardware and operating system.
Kaspersky states that MoonBounce has been detected only once, on the network of the transport company, and that it is assumed that it is the work of the APT41 group due to other viruses that were part of the same attack. By the way, APT41 is a group of cyber hackers, who are believed to often do business for the Chinese government.
MoonBounce and other malware found during the attack on this network communicated with the same server infrastructure from which the instructions from the APT41 group.
A mysterious infection
What remains unknown is how the bootkit was initially installed on the network. As a security network against these viruses, which seem to be an increasing threat to networks and computers, Kaspersky experts suggest regularly updating EUFI firmware and activating the BootGuard option. In addition, activating the famous TPM module, one of the prerequisites for installing the Windows 11 operating system is recommended, if the hardware is present on the machine.