ESET researchers have uncovered a previously unknown real-world UEFI bootkit that resides on the EFI System Partition (ESP). The bootkit, dubbed ESPecter by ESET, can get around Windows Driver Signature Enforcement and install its own unregistered driver, making its espionage activities easier. ESPecter is the second UEFI bootkit identified on the ESP, demonstrating that real-world UEFI threats aren’t restricted to SPI flash implants like Lojax, which ESET discovered in 2018.
ESPecter was discovered on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities, which is why ESET Research believes ESPecter is mainly used for espionage. “Interestingly, we traced the roots of this threat back to at least 2012; it was previously operating as a bootkit for systems with legacy BIOSes. Despite ESPecter’s long existence, its operations and upgrade to UEFI went unnoticed and have not been documented until now,” says ESET researcher Anton Cherepanov, who discovered and analyzed the threat with ESET researcher Martin Smolár.
“In the last few years, we have seen proof-of-concept examples of UEFI bootkits, leaked documents, and even leaked source code suggesting the existence of real UEFI malware either in the form of SPI flash implants or ESP implants. Despite all of the above, only four real-world cases of UEFI malware have been discovered, including ESPecter,” explains Cherepanov.
ESET Research was able to trace the origins of this bootkit back to at least 2012 using ESET telemetry. What’s noteworthy is that the malware’s components haven’t changed much over the years, and the variations between the 2012 and 2020 versions aren’t as noticeable as one might think. The threat actors behind ESPecter appear to have opted to transfer their malware from legacy BIOS computers to current UEFI platforms after years of minor adjustments.
ESPecter’s second payload is a backdoor that supports a wide range of instructions and includes several automatic data exfiltration features, such as document theft, keylogging, and frequent screenshot monitoring of the victim’s screen. All of the information gathered is kept in a secret directory.
“ESPecter shows that threat actors are relying on UEFI firmware implants when it comes to pre-OS persistence and, despite the existing security mechanisms like UEFI Secure Boot, invest their time into creating malware that would be easily blocked by such mechanisms, if enabled and configured correctly,” adds Smolár.
ESET advises users to follow these simple rules to stay safe from ESPecter and similar threats: always use the most recent firmware version; make sure the system is properly configured and Secure Boot is enabled; and configure Privy Account Management to help prevent adversaries from accessing privileged accounts needed for bootkit installation.
