The MoonBounce UEFI malware hit the headlines due to the novel way it hides from anti-virus software. UEFI malware is on the rise – but what is it, and how can you protect your network from this sophisticated security threat?

Securing the Operating System

The UEFI standard (Unified Extensible Firmware Interface) defines the way an operating system is loaded when a computer is first switched on.  First a boot manager loads its configuration from persistent memory on a chip on the motherboard and then uses that configuration to locate the operating system loaders which in turn load the Kernel for the operating system from disc.  Modern Windows versions (since Window 8) and a growing number of Linux distributions support Secure Boot which prevents UEFI drivers or OS Boot Loaders that have not been digitally signed from being used.  The UEFI components reside on the EFI System Partition (ESP) of the computer’s hard drive or SSD.

Secure Boot is designed to prevent rootkit malware from being included in the boot sequence – because the malware would not have a valid digital signature and so would be rejected by the UEFI firmware.  Secure Boot also validates that the operating system files have not been tampered with by verifying their digital signature before loading them during the boot up sequence.  Secure Boot requires a TPM chip to be present and so may not be available on older hardware or in some virtualisation set-ups if a virtual TPM chip has not been added to the configuration.

Kaspersky has published their research into a new malware strain dubbed Moonbounce, which is being used by a Chinese-speaking threat actor in order to facilitate the installation of additional malware modules across the infected network.

How UEFI Malware works

In order to try to bypass the protections offered by UEFI, malware authors developed new tactics and targeted the ESP where the boot loaders are stored.  ESPecter for example modifies the Windows boot loader stored in the ESP (but only on systems where Secure Boot was not active or available).

If a system’s ESP is infected with a UEFI rootkit, the only way to remove it is to format the boot disk, including the ESP partition and reinstall the operating system.

However, Moonbounce and similar malware does not target the ESP, instead it resides within a small chip on the motherboard called the SPI.

The SPI (Serial Peripheral Interface) is a small chip that helps manage data flowing to and from the hard disk.  MoonBounce malware hides itself in the SPI motherboard chip, not on the hard drive or SSD – and injects itself into the datastream as it leaves the EFI System Partition during the initial system boot.  This makes the malware invisible to any security scanner that examines the contents of the ESP.

Moonbounce is only the third publicly documented example of malware that uses the SPI Flash chip to hide itself and the most sophisticated found so far. (The other two were LoJax from 2018 and MosaicRegressor in 2020).  It is not clear how the malware is able to infect the SPI Flash chip, but once it has the only sure way to remove it is to replace the motherboard of the infected computer.  Research by a firm of software supply chain specialists suggest that the Moonbounce malware was designed to target a motherboard design from 2014 which would lack modern protection mechanisms for firmware.

Defences against UEFI Malware

Despite the growing sophistication of malware targeting the UEFI boot processes, Secure Boot remains an effective way to prevent modified software from being loaded – provided it is enabled on the computer.

Some anti-virus software includes Firmware scanners which can help detect infected firmware loaded into motherboard chips like the SPI.  The Firmware scanner works by dumping the contents of the ROM using a special driver and then scanning the contents looking for signatures and other signs of infection in a similar way to how disk files are scanned.

Secure Boot may not be available on virtualised platforms, or may not be enabled by default (as with Parallels on MacOS computers for example) and so compensating controls may be needed.

Even modern computers may be configured to run in legacy BIOS compatibility mode which does not support Secure Boot. To check, run the msinfo32 app on Windows and check the BIOS Mode shown in the System Summary – if it says Legacy then UEFI is not enabled. Converting from Legacy BIOS to UEFI is not straightforward, the disk may need to be re-partitioned and Windows may need to be reinstalled – so test first on a backed-up system.

Review the physical security of new devices during manufacturing and transport to guard against the possibility that the device could be intercepted and have malware installed.  Secure Boot can be disabled if a threat actor has physical access to the system.

Ensure that new system deployments always have UEFI firmware mode enabled and Secure Boot or similar technologies turned on by default.