This bootkit has been used to backdoor Windows devices for almost a decade

Only the second-known real-world UEFI bootkit

by 9SIX

Cybersecurity researchers have found a previously undocumented Unified Extensible Firmware Interface (UEFI) bootkit, which has found a neat way to bypass the SecureBoot protections.

In their thorough breakdown of the bootkit, dubbed ESPecter, the ESET researchers who found it, note that the malware loads its own unsigned driver to bypass Windows Driver Signature Enforcement (WDSE) and dwell permanently inside the EFI System Partition (ESP) of compromised devices.

“ESPecter was encountered on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities, which is why we believe ESPecter is mainly used for espionage,” note the researchers in their blog post.

The researchers describe ESPecter as the second real-world example of a UEFI bootkit that presents itself as a patched Windows Boot Manager before archiving persistence on the ESP.

Overriding secure boot

Interestingly, the researchers note that ESPecter has been in operation since at least 2012, when it was used to target systems with legacy BIOS.

In their detailed analysis, the researchers observe that ESPecter bypasses WDSE in order to execute its own unsigned driver as the infected computer boots. It is this malicious driver that deploys other components into particular system processes in order for the malware to communicate with its command and control (C2) server.

The researchers argue that while Secure Boot prevents the execution of untrusted UEFI binaries, over the years there have been several documented UEFI firmware vulnerabilities that can be exploited to bypass or disable the security mechanism.

Referring to securing UEFI firmware as “a challenging task,” the researchers observe that the process is further compounded by the fact that various vendors apply security policies and use UEFI services differently.

In fact, they go as far as to suggest that malware such as ESPecter could be easily blocked by security mechanisms such as Secure Boot, if only it was enabled and configured correctly.

Source: techradar

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept

Update Required Flash plugin