SYMBOLCOMMON_NAMEaka. SYNONYMS
win.moonbounce (Back to overview)

MoonBounce

Actor(s): APT41


MoonBounce is a malware embedded into a modified UEFI firmware. Placed into SPI flash, it can provide persistence across full reinstall and even disk replacements. MoonBounce deploys user-mode malware through in-memory staging with a small footprint.

References
2022-05-27PTSecurityAnton Belousov, Aleksey Vishnyakov
@online{belousov:20220527:how:d00c942, author = {Anton Belousov and Aleksey Vishnyakov}, title = {{How bootkits are implemented in modern firmware and how UEFI differs from Legacy BIOS}}, date = {2022-05-27}, organization = {PTSecurity}, url = {https://habr.com/ru/amp/post/668154/}, language = {Russian}, urldate = {2022-05-29} } How bootkits are implemented in modern firmware and how UEFI differs from Legacy BIOS
LoJax MoonBounce
2022-01-21binarlyBinarly Team
@online{team:20220121:deeper:14be956, author = {Binarly Team}, title = {{A deeper UEFI dive into MoonBounce}}, date = {2022-01-21}, organization = {binarly}, url = {https://www.binarly.io/posts/A_deeper_UEFI_dive_into_MoonBounce/index.html}, language = {English}, urldate = {2022-01-25} } A deeper UEFI dive into MoonBounce
MoonBounce
2022-01-20Kaspersky LabsMark Lechtik, Vasily Berdnikov, Denis Legezo, Ilya Borisov
@techreport{lechtik:20220120:technical:fa16a24, author = {Mark Lechtik and Vasily Berdnikov and Denis Legezo and Ilya Borisov}, title = {{Technical details of MoonBounce’s implementation}}, date = {2022-01-20}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/19115831/MoonBounce_technical-details_eng.pdf}, language = {English}, urldate = {2022-01-25} } Technical details of MoonBounce’s implementation
MoonBounce
2022-01-20KasperskyMark Lechtik, Vasily Berdnikov, Denis Legezo, Ilya Borisov
@online{lechtik:20220120:moonbounce:cd173f1, author = {Mark Lechtik and Vasily Berdnikov and Denis Legezo and Ilya Borisov}, title = {{MoonBounce: the dark side of UEFI firmware}}, date = {2022-01-20}, organization = {Kaspersky}, url = {https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/}, language = {English}, urldate = {2022-01-24} } MoonBounce: the dark side of UEFI firmware
MoonBounce

There is no Yara-Signature yet.