Cybersecurity researchers have come across a new version of the MoonBounce malware that first appeared last year. The unique thing about this malware is that it cannot be detected by security-related software as it ditches the location where the software generally looks for and stays in the reserved memory of a computer that is used while booting the device. Keep reading to know more about the MoonBounce malware.

As mentioned in the official press release by Kaspersky, MoonBounce contains several malicious loaders and post-exploitation malware across several nodes of the same network. This includes ScrambleCross, or Sidewalk, an in-memory implant that can communicate to a C2 server to exchange information and execute additional plugins, Mimikat_ssp, a publicly available post-exploitation tool used to dump credentials and security secrets, a formerly unknown Golang-based backdoor, and Microcin, malware that is typically used by the SixLittleMonkeys threat actor.

What is MoonBounce?

Once activated, the malware has the capability to maintain access to the host computer and it can also deploy new malware to further infect the machine. MoonBounce was recently found on the network of a company dealing in transportation services. The infected network also has other malware and it is believed to be the work of APT41, which might be working for the authorities in China. If a machine contains this malware, it will be launched before the operating system, making it hard to delete.

Recently, it has been found that the MoonBounce malware belongs to an elite group of Chinese-speaking hackers called Winnti. Additionally, some researchers also believe that the group of hackers is working for the Chinese government. MoonBounce does not hide in the hard drive of a computer. Instead, the malware hides in the UEFI. It is because of this location that the event anti-virus software is not able to detect it.

As noted by Kaspersky in its official release, the MoonBounce malicious implant is hidden within United Extensible Firmware Interface, also called UEFI. It is an essential part of computers. Kaspersky says that the implants are notoriously difficult to remove and are of limited visibility to security products. The malware appeared for the first time in 2021 and has a sophisticated attack flow, with evident advancement in comparison to the formerly known version of UEFI firmware bootkits. In other words, it is one of the most advanced UEFI implants found to date.