Malware That Can Survive OS Reinstalls Strikes Again, Likely for Cyberespionage

pcmag.com:

A new malware strain that can survive operating system reinstalls was spotted last year secretly hiding on a computer, according to the antivirus provider Kaspersky. 

The company discovered the Windows-based malware last spring running on a single computer. How the malicious code infected the system remains unclear. But the malware was designed to operate on the computer’s UEFI firmware, which helps boot up the system. 

The malware, dubbed MoonBounce, is especially scary because it installs itself on the motherboard’s SPI flash memory, instead of the computer’s storage drive. Hence, the malware can persist even if you reinstall the computer’s OS or swap out the storage. 

“What’s more, because the code is located outside of the hard drive, such bootkits’ activity goes virtually undetected by most security solutions unless they have a feature that specifically scans this part of the device,” Kaspersky said. 

The discovery marks the third time the security community has uncovered a UEFI-based malware that’s designed to persist on a computer’s flash memory. The previous two include Lojax, which was found infecting a victim’s computer in 2018, and Mosaic Regressor, which was found on machines belonging to two victims in 2020. 

The new strain MoonBounce was designed to retrieve additional malware payloads to be installed on the victim's computer. But according to Kaspersky, the MoonBounce is even more advanced and stealthy because it can use a “previously benign” core component in the motherboard’s firmware to facilitate malware deployment. 

“The infection chain itself does not leave any traces on the hard drive, since its components operate in memory only, thus facilitating a fileless attack with a small footprint,” the