On Tuesday, cybersecurity researchers disclosed that threat actors have been using a previously undocumented UEFI (Unified Extensible Firmware Interface) bootkit to backdoor Windows computers since 2012. They used to do it by modifying a legal Windows Boot Manager binary to achieve persistence.
The security company ESET codenamed this new virus “ESPecter” because of its capacity to survive on the EFI System Partition (ESP), in addition to bypassing Microsoft Windows Driver Signature Enforcement to install its unregistered driver that may be used to enable espionage activities, including document theft, keylogging, and screen monitoring by taking screenshots regularly. The malware’s intrusion route is still unknown.
According to a technical write-up from ESET researchers, the threat actors aren’t just reliant on UEFI firmware implants in terms of pre-OS persistence. Despite security features such as UEFI Secure Boot, they devote their effort to designing malware that would be readily prevented by such safeguards (if enabled and set appropriately).
The origins of ESPecter date back to at least 2012, when it started as a bootkit for computers with old BIOSes, with the malware’s creators constantly adding compatibility for new Windows OS versions while scarcely changing the malware’s components. The most significant change was in 2020 when “creators of ESPecter reportedly chose to transfer their virus from outdated BIOS computers to newer UEFI systems.”
In the guise of a patched Windows Boot Manager, the UEFI malware uses the same type of infiltration to stay on the ESP.
On systems that enable Legacy BIOS Boot Mode, however, ESPecter gets perseverance by modifying the master boot record (MBR) code in the disk drive’s first physical sector to prevent the boot manager from loading the malicious kernel driver, which is used to set up the keylogger and load additional user-mode payloads, before deleting the machine’s own traces.
Regardless of using the UEFI or MBR variant, the driver’s installation causes injection of the next-stage user-mode components into specified system processes to establish connections with a distant server, thereby allowing an attacker to take over the infected system and take control of it.
The bootkit was not linked to a specific nation-state or hacker organization, according to ESET. However, Chinese debug messages in the user-mode client payload raise the probability that an unknown Chinese-speaking threat actor created it.