ESPecter Bootkit Has Been Secretly Active Since 2012
ESET researchers have found a previously undocumented Unified Extensible Firmware Interface (UEFI) boot kit that bypasses the SecureBoot protection. The bootkit, which is called ESPecter, can bypass Windows Driver Signature Enforcement and its own unsigned driver. The bootkit remain permanently in the EFI system partition (ESP) of compromised devices. ESPecter has keylogging and document theft capabilities.
ESET researchers traced the roots of this threat back to at least 2012, previously operating as a bootkit for systems with legacy BIOSes. Despite ESPecter's long life, its operations and upgrade to UEFI went unnoticed. At first, it used MBR modification as its persistence method and its authors kept adding support for new Windows OS versions. Over the course of almost a decade, little has changed since.
After all the years of little changes, those behind ESPecter moved their malware from legacy BIOS systems to modern UEFI systems. They did so by modifying a legitimate Windows Boot Manager binary (bootmgfw.efi) located on the ESP while supporting multiple Windows versions spanning Windows 7 through Windows 10. It requires that the Secure Boot feature is disabled to successfully boot with a modified boot manager.
By patching the Windows Boot Manager, hackers can execute malicious code in the early stages of the system boot process, before the operating system is fully loaded. This allows ESPecter to bypass Windows Driver Signature Enforcement (DSE) in order to execute its own unsigned driver at system startup. This driver then injects other user-mode components into specific system processes and initiates communication with ESPecter's C&C server and enables the hacker to download and run additional malware.
As a leading technology embedded into chips of modern computers and devices, UEFI plays a crucial role in securing the pre-OS environment and loading the operating system. It is no surprise that such a technology has become a target for hackers. To protect against ESPecter bootkit, keep your firmware up to date. Administrators should also enable secure boot.