Cybersecurity (opens in new tab) researchers have found a previously undocumented Unified Extensible Firmware Interface (UEFI) bootkit, which has found a neat way to bypass the SecureBoot protections.
In their thorough breakdown of the bootkit, dubbed ESPecter, the ESET (opens in new tab) researchers who found it, note that the malware (opens in new tab) loads its own unsigned driver to bypass Windows Driver Signature Enforcement (WDSE) and dwell permanently inside the EFI System Partition (ESP) of compromised devices.
“ESPecter was encountered on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities, which is why we believe ESPecter is mainly used for espionage,” note the researchers in their blog post (opens in new tab).
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
>> Click here to start the survey in a new window (opens in new tab) <<
- Protect your devices with these best antivirus software (opens in new tab)
- Here's our choice of the best malware removal (opens in new tab) software on the market
- These are the best ransomware protection tools (opens in new tab)
The researchers describe ESPecter as the second real-world example of a UEFI bootkit that presents itself as a patched Windows Boot Manager before archiving persistence on the ESP.
Overriding secure boot
Interestingly, the researchers note that ESPecter has been in operation since at least 2012, when it was used to target systems with legacy BIOS.
In their detailed analysis, the researchers observe that ESPecter bypasses WDSE in order to execute its own unsigned driver as the infected computer boots. It is this malicious driver that deploys other components into particular system processes in order for the malware to communicate with its command and control (C2) server.
The researchers argue that while Secure Boot prevents the execution of untrusted UEFI binaries, over the years there have been several documented UEFI firmware vulnerabilities (opens in new tab) that can be exploited to bypass or disable the security mechanism.
Referring to securing UEFI firmware as “a challenging task,” the researchers observe that the process is further compounded by the fact that various vendors apply security policies and use UEFI services differently.
In fact, they go as far as to suggest that malware such as ESPecter could be easily blocked by security mechanisms such as Secure Boot, if only it was enabled and configured correctly.
- Check our roundup of the best endpoint protection tools (opens in new tab)
Via BleepingComputer (opens in new tab)