In addition, the malware isn't file-based and does at least some of its operations only in memory, making it hard to see exactly what MoonBounce did on the single host PC on a company's network.Ī single machine, owned by a transportation company, seems to be the only machine on Kaspersky's logs that has a MoonBounce infection in its SPI Flash. Perhaps this malware was still in testing when it was spotted, and/or it is being held back for special purposes. Interestingly, this part of the sophisticated attack didn't seem to go anywhere, so it wasn't possible to analyze any further steps in MoonBounce. So, on an infected machine, the researchers observed the malware process try and access a URL to fetch the next stage payload and run it in memory. Of course, Kaspersky was interested to see what the malware would do next. This allows the malware to be injected into an svchost.exe process when the computer boots into Windows. This, in turn, "sets up additional hooks in subsequent components of the boot chain, namely the Windows loader," said the security researchers. The hooks are then used to divert function calls to the malicious shellcode that the attackers have appended to the CORE_DXE image. "The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table," explains Kaspersky on its SecureList blog. MoonBounce is undeniably clever in the way it gets into a system and makes itself hard to detect and dispose of. However, MoonBounce shows "significant advancement, with a more complicated attack flow and greater technical sophistication." It also seems to have infected a machine remotely. Kaspersky says that the likes of LoJax and MosaicRegressor came before it. MoonBounce isn't the first UEFI malware discovered in the wild that targets SPI flash.
0 Comments
Leave a Reply. |