MoonBounce, New UEFI Malware on the Loose

mac computer macbook

UEFI, short for Unified Extensible Firmware Interface, is simply put a system component, which connects the operating system with the rest of the system's firmware and devices. This is a low-level component, which is not erased/overwritten in case of formatting your hard drive or re-installing your operating system. And this is why cybercriminals are so interested in it – the development of UEFI malware allows them to gain persistence on a compromised device, hiding deep into the system's components. Even if the victim attempts to reinstall their operating system, they will fail to remove the malicious module. The latest piece of UEFI malware to be found in the wild MoonBounce Malware – it joins the ranks of several other implants, which have the ability to reside inside the UEFI.

The UEFI firmware is typically stored on the Serial Peripheral Interface (SPI) storage chip on computer motherboards. In order for it to be compromised, attackers will need to introduce a malicious firmware update, which would deliver the malicious code to the SPI chip.

Why is the MoonBounce Malware Special?

As already explained, this malware's unique ability reside in the UEFI firmware makes it much more difficult to identify and remove. But this property also gives it many other advantages. For starters, it does not need to run on system startup like most modern malware – instead, it is able to work independently of the operating system.

Of course, because of how stealthy the MoonBounce Malware is, its features are quite limited. Unfortunately, its ability to store its data in the UEFI firmware and operate from the system's memory turn it into a very difficult threat to deal with. It appears that its primary purpose is to enable attackers to deploy additional malware onto infected devices – just like a Trojan Dropper.

It seems that the victims affected by the MoonBounce Malware had sensitive data exfiltrated from their devices – industrial espionage is likely to be the primary purpose of this specific campaign. According to malware researchers, the MoonBounce campaign appears very similar to previous campaigns carried out by APT41, a Chinese threat actor.

By Ruik
January 21, 2022
Malware
English
January 21, 2022
Malware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Malware

Remove ASPXSpy Malware

ASPXSpy Malware is an open-source piece of malware, which is being used by multiple Advanced Persistent Threat (APT) actors around the world. It is very small in size, and thanks to being open-source it can be... Read more

May 27, 2021
Malware

TEARDROP Malware

The TEARDROP Malware is identified as a basic Trojan Dropper, which was used by the cybercriminals behind the recent supply-chain attack linked to the SolarWinds software vendor. This campaign involved the use of a... Read more

April 26, 2021
Malware

Remove NativeZone Malware

The NativeZone Malware is part of the hacking toolkit of the Nobelium APT, a cybercrime organization best known for its attack against the SolarWinds software vendor. Recently, their name made the news yet again, but... Read more

June 1, 2021
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.