Dubbed MoonBounce by the security sleuths at Kaspersky who discovered it, the malware, technically called a bootkit, traverses beyond the hard disk and burrows itself in the computer’s Unified Extensible Firmware Interface (UEFI) boot firmware. “The attack is very sophisticated,” Tomer Bar, Director of Security Research at SafeBreach, told Lifewire over email. “Once the victim is infected, it is very persistent since even a hard drive format won’t help.”
Novel Threat
Bootkit malware are rare, but not completely new, with Kaspersky itself having discovered two others in the past couple of years. However, what makes MoonBounce unique is that it infects the flash memory located on the motherboard, making it impervious to antivirus software and all the other usual means of removing malware. In fact, the Kaspersky researchers note that users can reinstall the operating system and replace the hard drive, but the bootkit will continue to remain on the infected computer until users either re-flash the infected flash memory, which they describe as “a very complex process,” or replace the motherboard entirely. What makes the malware even more dangerous, Bar added, is that the malware is fileless, which means it doesn’t rely on files that antivirus programs can flag and leaves no apparent footprint on the infected computer, making it very difficult to trace. Based on their analysis of the malware, the Kaspersky researchers note that MoonBounce is the first step in a multi-stage attack. The rogue actors behind MoonBounce use the malware to establish a foothold into the victim’s computer, which they fathom can then be used to deploy additional threats to steal data or deploy ransomware. The saving grace, though, is that the researchers have found only one instance of the malware till now. “However, it’s a very sophisticated set of code, which is concerning; if nothing else, it heralds the likelihood of other, advanced malware in the future,” Tim Helming, security evangelist with DomainTools, warned Lifewire over email. Therese Schachner, Cyber Security Consultant at VPNBrains agreed. “Since MoonBounce is particularly stealthy, it’s possible that there are additional instances of MoonBounce attacks that haven’t yet been discovered.”
Inoculate Your Computer
The researchers note that the malware was detected only because the attackers made the mistake of using the same communication servers (technically known as the command and control servers) as another known malware. However, Helming added that since it’s not apparent how the initial infection takes place, it’s virtually impossible to give very specific directions on how to avoid getting infected. Following the well-accepted security best practices is a good start, though. “While malware itself advances, the basic behaviors that the average user should avoid in order to protect themselves haven’t really changed. Keeping software up to date, especially security software, is important. Avoiding clicking on suspicious links remains a good strategy,” Tim Erlin, VP of strategy at Tripwire, suggested to Lifewire over email. Adding to that suggestion, Stephen Gates, Security Evangelist at Checkmarx, told Lifewire over email that the average desktop user has to go beyond traditional antivirus tools, which can’t prevent fileless attacks, such as MoonBounce. “Search for tools that can leverage script control and memory protection, and try to use applications from organizations that employ secure, modern application development methodologies, from the bottom of the stack to the top,” Gates suggested. Bar, on the other hand, advocated the use of technologies, such as SecureBoot and TPM, to verify that the boot firmware hasn’t been modified as an effective mitigation technique against bootkit malware. Schachner, on similar lines, suggested that installing UEFI firmware updates as they’re released will help users incorporate security fixes that better protect their computers against emerging threats such as MoonBounce. Furthermore, she also recommended using security platforms that incorporate firmware threat detection. “These security solutions allow users to be informed of potential firmware threats as soon as possible so that they can be addressed in a timely manner before the threats escalate.”