Security researchers revealed that threat actors have been using a previously undocumented UEFI (Unified Extensible Firmware Interface) bootkit since 2012 to backdoor Windows systems by altering a legitimate Windows Boot Manager binary to gain persistence. Discoveries like that are only showing how technology designed to protect the environment before loading the operating system is becoming a very appealing target for cybercriminals.
In addition to bypassing Microsoft Windows Driver Signature Enforcement to load its own unsigned driver, the new malware, codenamed “ESPecter”, stands out with its ability to remain on the EFI System Partition (ESP). Once inside, the threat can facilitate espionage activities such as keylogging, screen monitoring through random screenshots and document and data theft. The path of entry of the threat, however, is still unclear.
No nation-state or hacker organization has been identified to stay being behind the bootkit. However, the inclusion of Chinese debug messages in the user-mode client payload suggests that an unknown Chinese-speaking threat actor may be the operator behind ESPecter.
According to an ESET report published on Tuesday, ESPecter’s origins date back to at least 2012, when it was developed as a bootkit for computers using outdated BIOSes. Since then, the malware’s developers have continued to add compatibility for new Windows OS versions while making little modifications to the malware’s core components.
The researchers point out that, Driver Signature Enforcement (DSE) enables ESPecter to run an unregistered driver during system startup even if it is not signed by Windows. This explains how it’s possible for attackers to take control of a machine before Windows has had a chance to load its core components.
It’s interesting to note that, on systems that support Legacy BIOS Boot Mode, ESPecter gains persistence by changing the master boot record (MBR) code that is found in the first physical sector of the disk drive. In this way, the malware interferes with the loading of the boot manager and succeeds in launching the malicious kernel driver designed to load additional user-mode payloads. In the meantime, the threat also sets up a keylogger and then deletes its own traces from the compromised computer.
Without regard to if it’s an MBR or UEFI variant, the driver installation injects user-mode components into specific system processes, allowing an attacker to take control of the compromised machine, as well as download and execute additional malware or commands received from the server.