Kaspersky’s security researchers have found another malware, MoonBounce, that can infect a computer’s UEFI firmware. Researchers believe the malware is from APT41, a cyber-espionage group working for the Chinese government.
Unlike other bootkits, MoonBounce does not hide in the hard drive but instead in the SPI memory of the motherboard. Due to this, the malware will remain on the PC even after reinstalling the OS or replacing the hard drive. The only way to remove the MoonBounce is to reflash the SPI memory or replace the motherboard.
This is not the first malware that can infect and live inside the SPI memory of the motherboard. Researchers have found similar malware such as ESPectre, FinSpy’s UEFI bootkit, LoJax, and MosaicRegressor.
According to Kaspersky’s team, this was once considered unachievable but gradually became the norm. All of this is after the rollout of the UEFI standard.
Moonbounce Malware Linked To Chinese Espionage Group
Researchers have found that MoonBounce can be used to maintain access to an infected host. It can also deploy additional malware to infect the system further.
Researchers found MoonBounce bootkit on the network of a transportation services company. Based on other malware deployed on the infected network, they believe it was the work of APT41, a cyber-espionage group working for the Chinese government.
As a safety measure, the team at Kaspersky suggests updating the UEFI firmware regularly. They also mention enabling BootGuard and Trust Platform Modules. For now, these are the only measures we can take other than leaving it to our antivirus software.