A previously undocumented firmware implant deployed to maintain stealthy persistence as part of a targeted espionage campaign has been linked to the Chinese-speaking Winnti advanced persistent threat group (APT41).
Kaspersky, which codenamed the rootkit MoonBounce, characterized the malware as the “most advanced UEFI firmware implant discovered in the wild to date,” adding “the purpose of the implant is to facilitate the deployment of user-mode malware that stages execution of further payloads downloaded from the internet.”
Firmware-based rootkits, once a rarity in the threat landscape, are fast becoming lucrative tools among sophisticated actors to help achieve long standing foothold in a manner that’s not only hard to detect, but also difficult to remove.
The first firmware-level rootkit — dubbed LoJax — was discovered in the wild in 2018. Since then, three different instances of UEFI malware have been unearthed so far, including MosaicRegressor, FinFisher, and ESPecter.
images from Hacker News