This dangerous malware can even survive a drive reformatting

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Cybersecurity researchers from Kaspersky have discovered a rare species of malware that can’t be removed by antivirus, or even the most extreme of measures, such as hard drive formatting or replacement. 

That is because the malware, dubbed MoonBounce, does not reside in the hard drive itself, but rather, in the SPI flaws memory that is found on the motherboard. 

This type of malware is called a bootkit, and as explained by The Record, can only be removed by re-flashing the SPI memory, which it describes as “a very complex process”. The other solution would be to replace the motherboard altogether. 

China strikes again

MoonBounce is designed as a stage one malware, in a multi-stage attack. The malicious actors use it to either keep the doors to the compromised devices open, or to deploy stage-two malware, which can then serve as data harvesters, code executors, ransomware, etc.

Kaspersky says that so far, there’s only been one discovered instance of MoonBounce - in a device belonging to a transportation services company. The researchers are also under the impression that MoonBounce is the work of APT41, a well-known, state-sponsored cybercrime group with ties to the Chinese authorities.

The researchers state that both MoonBounce, and the stage-two malware, which was also found on the device, was communicating with the same server infrastructure, from where APT41 gave its instructions.

Kaspersky still doesn’t know how MoonBounce ended up on the compromised device, to begin with.

“As a safety measure against this attack and similar ones, it is recommended to update the UEFI firmware regularly and verify that BootGuard, where applicable, is enabled. Likewise, enabling Trust Platform Modules, in case a corresponding hardware is supported on the machine, is also advisable,” the Kaspersky team said.

MoonBounce is a UEFI bootkit (Unified Extensible Firmware Interface), and the third one Kaspersky found in recent times, after LoJax and MosaicRegressor. In recent months, researchers found multiple UEFI bootkits, The Record reminds, including ESPectre, or FinSpy’s UEFI bootkit.

  • You might also want to check out our list of the best firewalls right now

Via: The Record

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.