APT41 UEFI Malware MoonBounce

Researchers at Kaspersky have identified UEFI firmware implant dubbed "MoonBounce," is being utilized by threat group APT41. The implant is highly persistent as the code resides in the SPI flash memory of the motherboard, which cannot be easily removed. Kaspersky details the infection chain as, "The implant rests in the CORE_DXE component of the firmware, which is called upon early during the UEFI boot sequence. Then, through a series of hooks that intercept certain functions, the implant’s components make their way into the operating system, where they reach out to a command & control server in order to retrieve further malicious payloads, which we were unable to retrieve. It’s worth noting that the infection chain itself does not leave any traces on the hard drive, as its components operate in memory only, thus facilitating a fileless attack with a small footprint." The malicious implant was identified in the spring of 2021, and was utilized in targeted attacks. Given the observed C2 infrastructure and reviewing malware compilation times that were also found in the victim network, waves of activity targeting the network began as early as 2020 and the utilization of a firmware implant likely indicates the threat actor is conducting espionage activity.