![]() to bootstrap system startup through initialization of externally callable routines (Boot Services, Runtime Services etc.) Senior Kaspersky researcher Mark Lechtic said: "During investigation of anomalous UEFI level behaviour in our telemetry, we found a tampered CORE_DXE module, originally used. ![]() (The first UEFI rootkit found in the wild, dubbed LoJax, was spotted by security researchers at ESET in 2018, again, being used by an APT actor.) How did MoonBounce UEFI rootkit get there? Nobody knows UEFI rootkits are a potential nightmare for security teams: they are hard to detect and typically able to survive both OS reinstallation and as in this instance, hard disk replacement too. It found just one example of the UEFI implant attack which provided "highly stealthy and persistent storage for malware in the system" but multiple other likely associated malicious malware samples during its investigation. The attack seemed "aimed at long term espionage against a high-profile entity" the company said. Attacks that compromise it are hard to spot and highly persistent. ![]() It runs before the OS itself and has higher privileges. UEFI firmware is responsible for initialising hardware then loading and transferring control to the OS. Security researchers at Kaspersky have identified a new UEFI rootkit in the wild that exhibits some unique behaviours - including its modification of existing legitimate UEFI firmware rather than adding drivers to it.Īttributing the sophisticated campaign to APT41, a Chinese speaking threat actor, Kaspersky said that the original UEFI firmware was tampered with to embed a malicious code that it has dubbed MoonBounce this was used to deploy user-mode malware that stages execution of further payloads downloaded from the internet. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |