Threat Research

MoonBounce: the dark side of UEFI firmware

Securonix

MoonBounce is a sophisticated UEFI firmware implant that persists in SPI flash and chains into a memory-resident, fileless malware deployment, attributed to APT41. The campaign also features ScrambleCross loaders (StealthVector and StealthMutant) and multiple related pieces of malware, demonstrating a highly capable, China-linked threat group operating across firmware and in-memory stages.
#MoonBounce #APT41 #ScrambleCross #StealthVector #StealthMutant #Microcin

Keypoints

  • The MoonBounce implant resides in UEFI firmware (CORE_DXE) and hooks EFI Boot Services to divert boot-time execution flow with malicious shellcode.
  • The firmware-level compromise persists across disk formatting because the implant sits in SPI flash on the motherboard.
  • A multi-stage infection deploys user-mode malware in memory, starting from a kernel-mode driver that injects into svchost.exe and reaches a C2 to fetch more payloads.
  • ScrambleCross (SideWalk) and StealthVector/StealthMutant loaders operate in memory, often abusing IAT patching of wbemcomn.dll to load StealthVector.
  • The operation includes Go implant, Mimikat_ssp, Microcin, and other Chinese-speaking actor artifacts, with overlaps to known APT41 activity and related groups.
  • MITRE-like activities include pre-OS boot compromise, kernel/user-mode provisioning, credential dumping (NTDS), WMI-based lateral movement, and scheduled task execution for persistence.

MITRE Techniques

  • [T1542.003] Pre-OS Boot – MoonBounce implants firmware and hooks EFI Boot Services to intercept boot-time flow with malicious shellcode. “The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table…”
  • [T1055] Process Injection – Deploys user-mode malware by injecting into svchost.exe during early Windows kernel phases. “The driver, which runs during the initial phases of the kernel’s execution, is in charge of deploying user-mode malware by injecting it into an svchost.exe process.”
  • [T1098] Exfiltration Over C2 Channel / [T1105] Ingress Tool Transfer – Downloads additional payloads from a hardcoded C2 URL to run in memory. “reaches out to a hardcoded C&C URL … and attempts to fetch another stage of the payload to run in memory”
  • [T1053.005] Scheduled Task – StealthMutant and related components are launched via scheduled tasks and batch installers. “schtasks /create … /F …”
  • [T1218.001] Signed Binary Proxy Execution: InstallUtil – StealthMutant is executed via InstallUtil.exe with a config and targets file. “The launching utility in turn uses the .NET InstallUtil.exe application…”
  • [T1021.001] Remote Services (SMB/Windows Admin Shares) – PsExec-like remote command execution used to move laterally. “Usage of the Sysinternals Psexec tool for remote command execution in the network…”
  • [T1047] WMI – WMI-based remote command execution to run commands on remote hosts. “Usage of WMI for remote command execution”
  • [T1003.003] NTDS – Credential dumping from Active Directory database (NTDS) observed via commands and tools. “dump the Active Directory domain database (tid)…”
  • [T1574.002] Hijack Execution Flow: DLL Search Order Hijacking – IAT patching of wbemcomn.dll to force loading of StealthVector. “import address table is patched to append the malware’s DLL as a dependency.”
  • [T1027] Obfuscated/Compressed Files and Information – Shellcode and payloads encrypted (AES-128/ AES-256) and decrypted at runtime. “encrypting shellcode … AES-256”
  • [T1055.012] Process Injection: Dynamic-link Library – Patch and load of malicious DLLs (e.g., wbwkem.dll, wkbem.dll) into system processes. “Loader Filename … Loader MD5 … Shellcode Filename” (illustrative mapping)

Indicators of Compromise

  • [IP] network – 188.166.61.146, 172.107.231.236 (ScrambleCross Go/Microcin infrastructure) – used for C2 or hosting
  • [Domain] C2 domains – mb.glbaitech[.]com (MoonBounce), ns.glbaitech[.]com, dev.kinopoisksu[.]com, st.kinopoisksu[.]com
  • [MD5] file hash – C3B153347AED27435A18E789D8B67E0A (wbwkem.dll), 4D5EB9F6F501B4F6EDF981A3C6C4D6FA (wbwkem.dll loader)
  • [MD5] file hash – E7155C355C90DC113476DDCF765B187D (wkbem.dll loader), 899608DE6B59C63B4AE219C3C13502F5 (wmiwk.dll loader)
  • [File] Loader names – wbwkem.dll, wkbem.dll, wmiwk.dll, Microsoft.Service.Watch.targets, MstUtil.exe.config
  • [URL] C2 and payloads – hxxp://mb.glbaitech[.]com/mboard.dll
  • [Domain/IP] ScrambleCross/IAT patching indicators – ns.glbaitech[.]com resolved to ns.glbaitech[.]com, 172.107.231.236, and other related domains

Read more: https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/