MoonBounce malware survives OS reinstallations

Shaun M Jooste


As many of you may know, specifically if you’ve had malware issues on your PC, reinstalling your operating system usually does the trick in removing the malicious content. However, it appears that MoonBounce is a new strain that lives in the computer’s memory and UEFI firmware. What this means is that it will carry over into the OS reinstallation, as it doesn’t store files on the hard drive.

The discovery was made by Kaspersky, a company noted for anti-malware and antivirus software. It started when they noted a PC infected by malware with no idea how it got there. With further investigation, it became clear that it hid in the system’s UEFI firmware, which is why scanning the storage drives didn’t work.

MoonBounce malware survives OS reinstallations

However, this isn’t the first time that UEFI malware has been discovered. Lojax appeared in 2018 and Mosaic Regressor in 2020. Kaspersky indicates that MoonBounce is more potent, as it has a workflow system that’s more complicated to unravel. It also has advanced technical sophistication, which is tech terminology for saying it’s incredibly intelligent.

MoonBounce malware survives OS reinstallations

How MoonBounce works is by placing malware in the CORE_DXE section of the UEFI firmware. It’s the central part that boots your computer. When the PC tries to call certain functions, it releases commands that infect your operating system. So even if you reinstall the OS, it will just repeat this process.
Kaspersky is working on ways to detect and remove UEFI malware like MoonBounce with bootkit and firmware scanners.

Since it doesn’t leave any trace of infection on hard drives, it appears to be the best solution going forward. Until then, we recommend you update your UEFI firmware in the BIOS. To do so, simply check out the website of your motherboard’s manufacturer for the latest releases.

You may also like