Skip to main content

This bootkit has been used to backdoor Windows devices for almost a decade

security
(Image credit: Shutterstock)

Cybersecurity researchers have found a previously undocumented Unified Extensible Firmware Interface (UEFI) bootkit, which has found a neat way to bypass the SecureBoot protections.

In their thorough breakdown of the bootkit, dubbed ESPecter, the ESET researchers who found it, note that the malware loads its own unsigned driver to bypass Windows Driver Signature Enforcement (WDSE) and dwell permanently inside the EFI System Partition (ESP) of compromised devices.

“ESPecter was encountered on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities, which is why we believe ESPecter is mainly used for espionage,” note the researchers in their blog post.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

The researchers describe ESPecter as the second real-world example of a UEFI bootkit that presents itself as a patched Windows Boot Manager before archiving persistence on the ESP.

Overriding secure boot

Interestingly, the researchers note that ESPecter has been in operation since at least 2012, when it was used to target systems with legacy BIOS.

In their detailed analysis, the researchers observe that ESPecter bypasses WDSE in order to execute its own unsigned driver as the infected computer boots. It is this malicious driver that deploys other components into particular system processes in order for the malware to communicate with its command and control (C2) server.

The researchers argue that while Secure Boot prevents the execution of untrusted UEFI binaries, over the years there have been several documented UEFI firmware vulnerabilities that can be exploited to bypass or disable the security mechanism.

Referring to securing UEFI firmware as “a challenging task,” the researchers observe that the process is further compounded by the fact that various vendors apply security policies and use UEFI services differently.

In fact, they go as far as to suggest that malware such as ESPecter could be easily blocked by security mechanisms such as Secure Boot, if only it was enabled and configured correctly.

Via BleepingComputer

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.