Loading...

Formatting your hard drive won't remove this malware

Formatting your hard drive won't remove this malware
Loading...

The researchers at security firm Kaspersky have discovered a malware that launches before the operating system boots up. Usually, removing a virus or malware from a hard disk involves running an antivirus scan that repairs the infected files or deletes the malware, and installs new uninfected files. But this malware launches even before the new files load, meaning that antivirus tools can't remove them, and formating a computer's hard drive will likely not help either.

The malware, called MoonBounce, is not located in the hard drive. Instead it resides in the SPI flash memory of the motherboard. SPI stands for Serial Peripheral Interface, which is a basic protocol that can communicate with other devices, especially serial flash devices. Flash memory is a type of non-volatile storage that is rewritable and can be erased electrically. This type of storage has now become widespread in the embedded industry and is mostly used in portable devices. Removing malware like this will mean you will have to reflsh this memory, which is a complex process that most mainstream users cannot do. It could also require an entire motherboard to be replaced on a PC.

Malware like this is called a bootkit, and can only be removed by the complex process of re-flashing the SPI memory or by getting rid of the motherboard.

Loading...

“Such implants are notoriously difficult to remove and are of limited visibility to security products,” Kaspersky said in a report.

“Having first appeared in the wild in the spring of 2021, MoonBounce demonstrates a sophisticated attack flow, with evident advancement in comparison to formerly reported UEFI firmware bootkits,” the report added. 

Kaspersky researchers attributed the campaign to an infamous advanced persistent threat actor APT41. Since the activity is mostly located outside of the hard drive, it mostly goes undetected by most security solutions, the firm said. MoonBounce is the third reported UEFI bootkit found in the wild, according to Kaspersky, and was first detected in the spring of 2021. The previous two discovered bootkits are LoJax and MosaicRegressor. 

Loading...

“The exact infection vector remains unknown, however, it is assumed that the infection occurs through remote access to the targeted machine. MoonBounce modifies an existing firmware component for a stealthier and more subtle attack,” Kaspersky said.


Sign up for Newsletter

Select your Newsletter frequency