MoonBounce is a UEFI implant that was discovered in the CORE_DXE component of a malware sample. The implant is a malicious driver that is introduced into memory during boot time through a multistage infection chain. The driver is responsible for deploying user-mode malware by injecting it into an svchost.exe process once the operating system is up and running. The implant uses inline hooks to propagate malicious code to other boot components during system startup. The hooked functions in the EFI_BOOT_SERVICES table are AllocatePool, CreateEventEx, and ExitBootServices. The implant was discovered on July 18, 2014.
