Security researchers from Kaspersky announced on Thursday that they have discovered a new bootkit that can infect a computer's UEFI.
What it does MoonBounce (the name they gave the bootkit) special is the fact that the malware it is not hidden within the hard part disk called ESP (EFI System Partition), where the UEFI code is usually located. Instead it infects the SPI located on the motherboard.
This means that, unlike similar bootkits, users cannot reinstall the operating system system or replace the hard drive, as the bootkit will continue to reside on the infected device until the SPI memory is restarted (a very complicated process) or the motherboard is changed.
According to Kaspersky, MoonBounce is the third UEFI bootkit they've seen so far that can reside inside SPI memory. The previous malware were the LoJax and MosaicRegressor.
In addition, the discovery of MoonBounce comes after the discovery of additional UEFI bootkit in recent months, such as ESPectre, FinSpy's UEFI bootkit and others, which led Kaspersky's team to conclude that what was once considered impossible has gradually become the norm.
Kaspersky Security Group proposes:
"As a security measure against this attack and similar attacks, it is recommended to regularly update the UEFI firmware and verify that BootGuard, where available, is enabled. It is also advisable to activate the modules Trust Platform, in case it is supported by the machine ”.
