Security News > 2022 > January > Stealthy firmware bootkit leveraged by APT in targeted attacks

Kaspersky researchers have uncovered the third known case of a firmware bootkit in the wild.

Having first appeared in the wild in the spring of 2021, MoonBounce demonstrates a sophisticated attack flow, with evident advancement in comparison to formerly reported UEFI firmware bootkits.

If this firmware contains malicious code, then this code will be launched before the operating system, making malware implanted by a firmware bootkit especially difficult to delete.

It appeared in the spring of 2021 and was first discovered by Kaspersky researchers when they were looking at the activity of their Firmware Scanner, which has been included in Kaspersky products since the beginning of 2019 to specifically detect threats hiding in the ROM BIOS, including UEFI firmware images.

The firmware bootkit has only been found in a single case.

"In fact, transforming a previously benign core component in firmware to one that can facilitate malware deployment on the system is an innovation that was not seen in previous comparable firmware bootkits in the wild and makes the threat far stealthier. We predicted back in 2018 that UEFI threats would gain in popularity, and this trend does appear to be materializing. We would not be surprised to find additional bootkits in 2022. Fortunately, vendors have begun paying more attention to firmware attacks, and more firmware security technologies, such as BootGuard and Trusted Platform Modules, are gradually being adopted."

News URL

https://www.helpnetsecurity.com/2022/01/21/firmware-bootkit/