Wednesday, May 14, 2025
HomeMalwareChinese APT Hackers Deploys MoonBounce Implant In UEFI Firmware

Chinese APT Hackers Deploys MoonBounce Implant In UEFI Firmware

Published on

SIEM as a Service

Follow Us on Google News

Kaspersky Lab experts have recently discovered a security vulnerability in UEFI firmware, and this vulnerability was detected while studying the Firmware Scanner logs at the end of 2021.

During the further analysis, they found that the threat actors had modified one of the components in the firmware image that enabled the attackers to change the execution chain in UEFI and then inject the malicious code that runs at the startup of the machine.

On the victim’s network, the components of the modified firmware and other artifacts of malicious activity were analyzed, and it’s been detected that the malicious code which was implanted into the UEFI firmware was dubbed as “MoonBounce.”

- Advertisement - Google News

Other Malware and Implants That are Under The Radar

Here we have mentioned all the other malware, stagers, and post-exploitation malware implants that were used by the Chinese-speaking attackers:-

  • Microcin: It’s a backdoor that is used by the operators of the SixLittleMonkeys group.
  • Mimikat_ssp: It’s a publicly available post-exploitation tool that is used to dump the credentials and security secrets from exe.
  • Go implant: It’s a formerly unknown backdoor that is used to contact a C2 server by using the RESTful API.

Moreover, this MoonBounce implant targets the organizations that are in command of several corporations dealing with transport technology. In short, their target is the transport sector.

Feature of MoonBounce

MoonBounce offers a distinctive feature that enables the MoonBounce to remain un-hidden in the ESP (EFI System Partition), and it’s the section where the UEFI code is located; but, in this situation with an active implant, it is immediately embedded in the SPI flash memory, that is located on the motherboard.

Here, the malware can be launched in both situations, which implies:-

  • After reinstalling the operating system.
  • After formatting or replacing the hard drive. 

While on the infected device until the SPI memory is flashed, which is a very complicated process until the motherboard is replaced, the bootkit will remain over there.

The MoonBounce is the third UEFI bootkit that was capable of infecting SPI memory, but, apart from this, the previous two cases are:-

  • LoJax malware
  • MosaicRegressor malware

Operators of MoonBounce

The MoonBounce was used as a form to maintain access to the infected host and then in the second stage of the attack deploy the malware.

While it’s been confirmed by the experts that during their analysis they found MoonBounce was deployed once so far on the network of an unnamed transport company.

Since MoonBounce and other malware found on the victim’s network constantly contacted the server infrastructure, from where the APT41 group command all its instructions.

So, they have speculated that the operators behind the MoonBounce malware could be a Chinese cyber-espionage group that is dubbed as “APT41.” What is not clear till now is the installation procedure of MoonBounce.

But, still, cybersecurity researchers are analyzing the MoonBounce closely to get all the key details.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Microsoft Patch Tuesday May 2025 Released With the Fixes for 72 Flaws With 5 Actively Exploited 0-Day

Microsoft has released its May 2025 Patch Tuesday updates, addressing 72 security vulnerabilities across...

Ivanti Released Security Updates to Fix for the Mutiple RCE Vulnerabilities – Patch Now

Ivanti, a leading enterprise software provider, has released critical security updates addressing vulnerabilities across...

Fortinet FortiVoice Zero-day Vulnerability Actively Exploited in The Wild

A critical stack-based buffer overflow vulnerability (CWE-121) has been discovered in multiple Fortinet products,...

Ransomware Attacks Surge by 123% Amid Evolving Tactics and Strategies

The 2025 Third-Party Breach Report from Black Kite highlights a staggering 123% surge in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Weaponize KeePass Password Manager to Spread Malware and Steal Passwords

Threat actors have successfully exploited the widely-used open-source password manager, KeePass, to spread malware...

Researchers Uncover Remote IT Job Fraud Scheme Involving North Korean Nationals

The United States indicted fourteen North Korean nationals for orchestrating a sophisticated scheme to...

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...