Researchers security from Kaspersky announced Thursday that they discovered a new bootkit that can infect a computer's UEFI.
What MoonBounce (the name that they gave to the bootkit) special is the fact that the malware does not hide inside the part of the hard drive called ESP (EFI System Partition), where the UEFI code is usually located. Instead it infects the SPI located on the motherboard.
This means that, unlike similar bootkits, users cannot reinstall the operating system or replace the hard drive, as the bootkit will continue to reside on the infected device until the SPI memory is restarted (a very complicated process) or the motherboard is changed.
According to Kaspersky, MoonBounce is the third UEFI bootkit they have seen so far that can be found in SPI memory. The previous malware was LoJax and MosaicRegressor.
In addition, the discovery of MoonBounce comes after the discovery of additional UEFI bootkit in recent months, such as ESPectre, FinSpy's UEFI bootkit and others, which led Kaspersky's team to conclude that what was once considered impossible has gradually become the norm.
Kaspersky Security Group proposes:
"Ως μέτρο ασφαλείας έναντι αυτής της επίθεσης και παρόμοιων attacks, it is recommended to regularly update the UEFI firmware and verify that BootGuard, where available, is enabled. Likewise, activating the modules is advisable Trust Platform, if supported by the machine".
