DUBAI: ESET researchers have discovered a previously undocumented real-world UEFI bootkit that persists on the EFI System Partition (ESP). The bootkit, which ESET has named ESPecter, can bypass Windows Driver Signature Enforcement to load its own unsigned driver, which facilitates its espionage activities. ESPecter is the second discovery of a UEFI bootkit persisting on the ESP and shows how real-world UEFI threats are no longer limited to SPI flash implants as used by Lojax, which was discovered by ESET in 2018.
ESPecter was discovered on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities, which is why ESET Research believes ESPecter is mainly used for espionage. “Interestingly, we traced the roots of this threat back to at least 2012; it was previously operating as a bootkit for systems with legacy BIOSes. Despite ESPecter’s long existence, its operations and upgrade to UEFI went unnoticed and have not been documented until now,” says ESET researcher Anton Cherepanov, who discovered and analyzed the threat with ESET researcher Martin Smolár.
“In the last few years, we have seen proof-of-concept examples of UEFI bootkits, leaked documents, and even leaked source code suggesting the existence of real UEFI malware either in the form of SPI flash implants or ESP implants. Despite all of the above, only four real-world cases of UEFI malware have been discovered, including ESPecter,” explains Cherepanov.
Looking at ESET telemetry, ESET Research was able to date the beginnings of this bootkit back to at least 2012. What is interesting is that the malware’s components have barely changed over all these years, and the differences between the 2012 and 2020 versions are not as significant as one would expect. After all the years of insignificant changes, the threat actors behind ESPecter apparently decided to move their malware from legacy BIOS systems to modern UEFI systems.
The second payload deployed by ESPecter is a backdoor that supports a rich set of commands and contains various automatic data exfiltration capabilities, including document stealing, keylogging, and monitoring of the victim’s screen by periodically taking screenshots. All of the collected data is stored in a hidden directory.
“ESPecter shows that threat actors are relying on UEFI firmware implants when it comes to pre-OS persistence and, despite the existing security mechanisms like UEFI Secure Boot, invest their time into creating malware that would be easily blocked by such mechanisms, if enabled and configured correctly,” adds Smolár.
To keep safe from ESPecter or threats similar to it, ESET advises users to follow these simple rules: always use the latest firmware version; make sure the system is properly configured and Secure Boot is enabled; and configure Privileged Account Management to help prevent adversaries from accessing privileged accounts needed for bootkit installation.
About ESET
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter.
© Press Release 2021
Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.
The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.
To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.
