Security News > 2022 > January > Chinese Hackers Spotted Using New UEFI Firmware Implant in Targeted Attacks

A previously undocumented firmware implant deployed to maintain stealthy persistence as part of a targeted espionage campaign has been linked to the Chinese-speaking Winnti advanced persistent threat group.
Kaspersky, which codenamed the rootkit MoonBounce, characterized the malware as the "Most advanced UEFI firmware implant discovered in the wild to date," adding "The purpose of the implant is to facilitate the deployment of user-mode malware that stages execution of further payloads downloaded from the internet."
Three different instances of UEFI malware have been unearthed so far, including MosaicRegressor, FinFisher, and ESPecter.
The Russian cybersecurity company said it identified the presence of the firmware rootkit in a single incident last year, indicative of the highly targeted nature of the attack.
That said, the exact mechanism by which the UEFI firmware was infected remains unclear.
To counter such firmware-level modifications, it's recommended to regularly update the UEFI firmware as well as enable protections such as Boot Guard, Secure boot, and Trust Platform Modules.
News URL
https://thehackernews.com/2022/01/chinese-hackers-spotted-using-new-uefi.html
Related news
- Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool (source)
- Chinese hackers behind attacks targeting SAP NetWeaver servers (source)
- Chinese Hackers Deploy MarsSnake Backdoor in Multi-Year Attack on Saudi Organization (source)
- Chinese Hackers Exploit Ivanti EPMM Bugs in Global Enterprise Network Attacks (source)
- Russian hackers attack Western military mission using malicious drive (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- Chinese hackers target Russian govt with upgraded RAT malware (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)
- Hackers abuse Zoom remote control feature for crypto-theft attacks (source)
- DPRK Hackers Steal $137M from TRON Users in Single-Day Phishing Attack (source)