Researchers uncovered a stealthy UEFI rootkit that’s being used in highly targeted campaigns by a notorious Chinese cyberespionage group with suspected government ties. The group is known for using software supply-chain attacks in the past. Dubbed MoonBounce by researchers from Kaspersky Lab, the implant’s goal is to inject a malicious driver into the Windows kernel during the booting stages, providing attackers with a high level of persistence and stealthiness.
While MoonBounce is not the first UEFI rootkit found in the wild — LoJax, MosaicRegressor are two examples– these types of implants are not common because they require knowledge of low-level firmware programming. They are typically found in the arsenal of well-resourced and sophisticated attacker groups.