New MoonBounce UEFI Bootkit Can’t Be Removed by Replacing the Hard Drive

Security researchers from Kaspersky said they have discovered a novel bootkit that can infect a computer’s UEFI firmware. From a report: What makes MoonBounce — the name they gave the bootkit — special is the fact that the malware doesn’t burrow and hide inside a section of the hard drive named ESP (EFI System Partition), where some UEFI code typically resides, but instead it infects the SPI flaws memory that is found on the motherboard. This means that, unlike similar bootkits, defenders can’t reinstall the operating system and replace the hard drive, as the bootkit will continue to remain on the infected device until the SPI memory is re-flashed (a very complex process) or the motherboard is replaced. According to Kaspersky, MoonBounce marks the third UEFI bootkit they have seen so far that can infect and live inside the SPI memory, following previous cases such as LoJax and MosaicRegressor. Furthermore, MoonBounce’s discovery also comes after researchers have also found additional UEFI bootkits in recent months, such as ESPectre, FinSpy’s UEFI bootkit, and others, which has led the Kaspersky team to conclude that what was once considered unachievable following the rollout of the UEFI standard has gradually become the norm. Read more of this story at Slashdot.