[1/n] Today I'm sharing the details of a research done by @vaber_b, @legezo, Ilya Borisov and myself on a UEFI firmware implant found in the wild, dubbed #MoonBounce. We assess that this formerly unknown threat is the work of the infamous #APT41. A 🧵
securelist.com/moonbounce-the…
securelist.com/moonbounce-the…
[2/n] During investigation of anomalous UEFI level behaviour in our telemetry, we found a tampered CORE_DXE module, originally used, among other tasks, to bootstrap system startup through initialization of externally callable routines (Boot Services, Runtime Services etc.)
[3/n] The attackers appended malicious pieces of shellcode and a kernel-mode driver into a newly created section within the CORE_DXE image and caused the invokation of the former through inline hooks set in several Boot Services routines.
[4/n] Consequently, when CORE_DXE runs during system startup it is forced to execute malicious code that propagates to other components in the boot sequence, namely the Windows OS loader and kernel. The figure below outlines the flow of the underlying infection chain. 
[5/n] This infection culminates in the injection of a malicious stager from the aforementioned driver into a Windows service that has network connectivity once the OS is running. This stager is intended to reach out to a C&C and fetch subsequent payload, which we did not obtain.
[6/n] Interestingly, we found multiple artefacts on hosts in the same network range that reached out to MoonBounce's C&C infrastructure as well. Those consisted of ScrambleCross (aka SideWalk) implants loaded by StealthVector and StealthMutant, all associated with #APT41.
[7/n] In addition, we found activity of a formerly unknown Golang malware and Microcin (typically used by the SLM threat actor) on other hosts of the same victim. We assess with moderate confidence that those are part of the same intrustion set.
[8/n] The overall campaign, which is assessed to be orchestrated by #APT41, seems to be aimed at long term espionage against a high-profile entity, leveraging the third public known case of a UEFI firmware implant. When and how it was deployed still remain undetermined though.
[9/n] Examining it against comprabale predecessors (i.e. LowJax and MosaicRegressor), MoonBounce can be seen as somwhat more complex and stealthy, most notably by operating in-memory only without leaving traces on the disk (as was the case for its counterparts).
[10/10] Personally, the implant and underlying chain have been truly an exhilirating analysis experience, showing how UEFI firmware threats are increasingly becoming more common and complex, with greater likelihood of similar sophisticated attacks to materialize as we go.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
