Security researchers at Kaspersky have identified a new UEFI rootkit in the wild that exhibits some unique behaviours — including its modification of existing legitimate UEFI firmware rather than adding drivers to it.

Attributing the sophisticated campaign to APT41, a Chinese speaking threat actor, Kaspersky said that the original UEFI firmware was tampered with to embed a malicious code that it has dubbed MoonBounce; this was used to deploy user-mode malware that stages execution of further payloads downloaded from the internet.

A company called Hacking Team that sold offensive security tools and which itself got breached in 2015 had developed a UEFI rootkit the installation procedures for which suggested using a USB drive. But security researchers at Eclypsium have demonstrated remote UEFI based attacks in the past: remote vectors are viable.

Kaspersky’s MoonBounce research represents the third UEFI rootkit it has spotted in the wild. Writing after its 2020 identification of MosaicRegressor, hardware security specialist Eclypsium noted that “implant code itself is easy to build and the UEFI file system format is largely unmodified by individual OEMs. This creates a relatively low barrier to entry for attackers and we are therefore likely to see this type of capability show up in other campaigns.”

For more details see: Unique new UEFI firmware attack dubbed “MoonBounce” found