+44 (0)203 88 020 88

0
0
Subtotal: £0.00

No products in the basket.

No products in the basket.

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

What is Moonbounce Malware?

The MoonBounce UEFI malware hit the headlines due to the novel way it hides from anti-virus software. UEFI malware is on the rise – but what is it, and how can you protect your network from this sophisticated security threat?

 

Securing the Operating System

The UEFI standard (Unified Extensible Firmware Interface) defines the way an operating system is loaded when a computer is first switched on.  First a boot manager loads its configuration from persistent memory on a chip on the motherboard and then uses that configuration to locate the operating system loaders which in turn load the Kernel for the operating system from disc.  Modern Windows versions (since Window 8) and a growing number of Linux distributions support Secure Boot which prevents UEFI drivers or OS Boot Loaders that have not been digitally signed from being used.  The UEFI components reside on the EFI System Partition (ESP) of the computer’s hard drive or SSD.

Secure Boot is designed to prevent rootkit malware from being included in the boot sequence – because the malware would not have a valid digital signature and so would be rejected by the UEFI firmware.  Secure Boot also validates that the operating system files have not been tampered with by verifying their digital signature before loading them during the boot up sequence.  Secure Boot requires a TPM chip to be present and so may not be available on older hardware or in some virtualisation set-ups if a virtual TPM chip has not been added to the configuration.

Kaspersky has published their research into a new malware strain dubbed Moonbounce, which is being used by a Chinese-speaking threat actor in order to facilitate the installation of additional malware modules across the infected network.

 

How UEFI Malware works

In order to try to bypass the protections offered by UEFI, malware authors developed new tactics and targeted the ESP where the boot loaders are stored.  ESPecter for example modifies the Windows boot loader stored in the ESP (but only on systems where Secure Boot was not active or available).

If a system’s ESP is infected with a UEFI rootkit, the only way to remove it is to format the boot disk, including the ESP partition and reinstall the operating system.

However, Moonbounce and similar malware does not target the ESP, instead it resides within a small chip on the motherboard called the SPI.

The SPI (Serial Peripheral Interface) is a small chip that helps manage data flowing to and from the hard disk.  MoonBounce malware hides itself in the SPI motherboard chip, not on the hard drive or SSD – and injects itself into the datastream as it leaves the EFI System Partition during the initial system boot.  This makes the malware invisible to any security scanner that examines the contents of the ESP.

Moonbounce is only the third publicly documented example of malware that uses the SPI Flash chip to hide itself and the most sophisticated found so far. (The other two were LoJax from 2018 and MosaicRegressor in 2020).  It is not clear how the malware is able to infect the SPI Flash chip, but once it has the only sure way to remove it is to replace the motherboard of the infected computer.  Research by a firm of software supply chain specialists suggest that the Moonbounce malware was designed to target a motherboard design from 2014 which would lack modern protection mechanisms for firmware.

 

Defences against UEFI Malware

Despite the growing sophistication of malware targeting the UEFI boot processes, Secure Boot remains an effective way to prevent modified software from being loaded – provided it is enabled on the computer.

Some anti-virus software includes Firmware scanners which can help detect infected firmware loaded into motherboard chips like the SPI.  The Firmware scanner works by dumping the contents of the ROM using a special driver and then scanning the contents looking for signatures and other signs of infection in a similar way to how disk files are scanned.

Secure Boot may not be available on virtualised platforms, or may not be enabled by default (as with Parallels on MacOS computers for example) and so compensating controls may be needed.

Even modern computers may be configured to run in legacy BIOS compatibility mode which does not support Secure Boot. To check, run the msinfo32 app on Windows and check the BIOS Mode shown in the System Summary – if it says Legacy then UEFI is not enabled. Converting from Legacy BIOS to UEFI is not straightforward, the disk may need to be re-partitioned and Windows may need to be reinstalled – so test first on a backed-up system.

Review the physical security of new devices during manufacturing and transport to guard against the possibility that the device could be intercepted and have malware installed.  Secure Boot can be disabled if a threat actor has physical access to the system.

Ensure that new system deployments always have UEFI firmware mode enabled and Secure Boot or similar technologies turned on by default.

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

Scroll to Top