Chinese-made malware 'Moon Bounce' targeting UEFI firmware that remains on infected PCs even after HDD replacement



Malware 'Moon Bounce' was found that infects the motherboard directly and invalidates the countermeasures such as OS reinstallation and HDD / SSD replacement. According to Russian internet security giant

Kaspersky , MoonBounce is associated with the Chinese government-affiliated hacker group APT41.

MoonBounce: the dark side of UEFI firmware | Securelist
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

New MoonBounce UEFI bootkit can't be removed by replacing the hard drive --The Record by Recorded Future
https://therecord.media/new-moonbounce-uefi-bootkit-cant-be-removed-by-replacing-the-hard-drive/

New Chinese Malware Found To Be Difficult To Remove From A PC
https://fossbytes.com/new-chinese-malware-found-to-be-difficult-to-remove-from-a-pc/

This dangerous malware can even survive a drive reformatting | TechRadar
https://www.techradar.com/news/this-dangerous-malware-can-even-survive-a-drive-reformatting

A common computer virus infects the boot loader, kernel image, driver, etc. of the OS called the EFI system partition of the HDD / SSD, but the newly discovered Moon Bounce is 'on the motherboard. It has the unusual feature of infecting 'memory'. According to Kaspersky, the type of virus that infects the memory of the motherboard ' LoJax ', ' MosaicRegressor is the third case history is followed by'.

Because of this feature, MoonBounce will remain on the hard drive no matter how much you change the OS or hard drive, and no traces will be left in the hard drive, unless you reset the motherboard memory or replace the motherboard itself through a very complicated process. It is also difficult to detect from.



It seems that Kaspersky discovered Moon Bounce on the network of transportation service companies, and from other malware found on this network, Kaspersky determined that it was the crime of the hacker group `` APT41'' suspected of involving the Chinese government. doing.

As a countermeasure, Kaspersky encourages the activation of BootGuard and TPM module in addition to the regular update of UEFI firmware.

in Security, Posted by log1k_iy