A new version of the MoonBounce malware, first appeared in 2021, has been detected by the cybersecurity experts. It is the third case of a firmware bootkit in the wild. As compared to two previously discovered bootkits, LoJax and MosaicRegressor, MoonBounce demonstrates significant advancement with a more complicated attack flow and greater technical sophistication.
According to the researchers, the new version of the malware is hard to detect as it stays in the reserved memory of a computer that is used while booting the device.
What is MoonBounce?
Found by the Kaspersky researchers on the network of a company dealing in transportation services, MoonBounce, once activated, can access the host computer and it can also deploy new malware to further infect the machine. The researchers have attributed the attack with considerable confidence to the well-known advanced persistent threat (APT) actor APT41.
“While analyzing MoonBounce, Kaspersky researchers uncovered several malicious loaders and post-exploitation malware across several nodes of the same network. This includes ScrambleCross or Sidewalk, an in-memory implant that can communicate to a C2 server to exchange information and execute additional plugins, Mimikat_ssp, a publicly available post-exploitation tool used to dump credentials and security secrets, a formerly unknown Golang based backdoor, and Microcin, malware that is typically used by the SixLittleMonkeys threat actor,” reads an official release.
Related to Chinese-speaking hackers
Recently, it has been found that the MoonBounce malware belongs to an elite group of Chinese-speaking hackers called Winnti.
Infection through remote access
It is assumed that the infection occurs through remote access to the targeted machine. Though, the exact infection vector is yet to be known.