Hello, welcome to the Tuesday, January 25th, 2020 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Gispersky has a write-up of what they call moonbounds, a new type of UEFI, a malware that malware that is well even more difficult to remove than

some of the malware that we have seen in the past. Now with UAFI you do have multiple components.

One is the SPI flash, that's the serial peripheral interface flash, a little bit of flash memory that sort of has

the basic firmware that's being used to boot the computer. But then you also do have a special

partition, an EFI system partition, that may contain things like parameters and such for UFI to boot.

Now the ESP, the EFI system partition, that's on your hard drive.

It's not on this flash memory.

Breyer Malware did mostly focus on the ESP.

So that meant if you swapped your hard drive, you were good.

You basically had a clean system. What Kasperski is now observing is Malver that actually makes

some subtle changes to the SPI flash. And with that, swapping your hard drive is no longer really going to clean

the system. So the usual repartition reinstall trick is not going to cut it here. And well,

what the Mallory does very briefly here, more details in Kasperski's report. It's not really possible to summarize it all here in the

podcast, but once you boot the system, components from SPI Flash are copied and injected

into the Windows loader in the Windows kernel, which then is used to essentially reinfect

the system if you had it cleaned up

before.

Kaspersky does speculate that this originates from a particular advanced persistent threat

group and was a targeted attack.

...