ESET researchers have discovered a previously undocumented real-world UEFI bootkit that persists on the EFI System Partition (ESP).
The bootkit, which ESET has named ESPecter, can bypass Windows Driver Signature Enforcement to load its own unsigned driver, which facilitates its espionage activities. ESPecter is the second discovery of a UEFI bootkit persisting on the ESP and shows how real-world UEFI threats are no longer limited to SPI flash implants as used by Lojax, which was discovered by ESET in 2018.
ESPecter was discovered on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities, which is why ESET Research believes ESPecter is mainly used for espionage. “Interestingly, we traced the roots of this threat back to at least 2012; it was previously operating as a bootkit for systems with legacy BIOSes. Despite ESPecter’s long existence, its operations and upgrade to UEFI went unnoticed and have not been documented until now,” says ESET researcher Anton Cherepanov, who discovered and analyzed the threat with ESET researcher Martin Smolár.
“In the last few years, we have seen proof-of-concept examples of UEFI bootkits, leaked documents, and even leaked source code suggesting the existence of real UEFI malware either in the form of SPI flash implants or ESP implants. Despite all of the above, only four real-world cases of UEFI malware have been discovered, including ESPecter,” explains Cherepanov.
Looking at ESET telemetry, ESET Research was able to date the beginnings of this bootkit back to at least 2012. What is interesting is that the malware’s components have barely changed over all these years, and the differences between the 2012 and 2020 versions are not as significant as one would expect. After all the years of insignificant changes, the threat actors behind ESPecter apparently decided to move their malware from legacy BIOS systems to modern UEFI systems.
The second payload deployed by ESPecter is a backdoor that supports a rich set of commands and contains various automatic data exfiltration capabilities, including document stealing, keylogging, and monitoring of the victim’s screen by periodically taking screenshots. All of the collected data is stored in a hidden directory.
“ESPecter shows that threat actors are relying on UEFI firmware implants when it comes to pre-OS persistence and, despite the existing security mechanisms like UEFI Secure Boot, invest their time into creating malware that would be easily blocked by such mechanisms, if enabled and configured correctly,” adds Smolár.
To keep safe from ESPecter or threats similar to it, ESET advises users to follow these simple rules: always use the latest firmware version; make sure the system is properly configured and Secure Boot is enabled; and configure Privileged Account Management to help prevent adversaries from accessing privileged accounts needed for bootkit installation.
For more technical details about ESPecter, read the blogpost “UEFI threats moving to the ESP: Introducing ESPecter bootkit” on WeLiveSecurity. Make sure to follow ESET Ireland on Twitter for the latest news from ESET.