UEFI Bootkit Targeting Windows Computers Since 2012
Reading Time: 3 minutes

Researchers have discovered UEFI Bootkit targeting Windows computers since 2012. Threat actors have been using the Unified Extensible Firmware Interface(UEFI) to backdoor Windows systems from as early as 2012. They modify the legitimate Windows Boot Manager binary to achieve persistence. Just goes to show how technology meant to secure the environment prior to loading the operating system is increasingly becoming a “tempting target.”

According to the ESET cybersecurity firm, the new malware “ESPecter” has the ability to persist on the EFI System Partition (ESP). Additionally, it also has the capability to bypass Microsoft Windows Driver Signature Enforcement to load its own unsigned driver that can be used to facilitate espionage activities such as document theft, keylogging, and screen monitoring by periodically capturing screenshots.

ESET researchers Martin Smolár and Anton Cherepanov said in a technical write-up published Tuesday said, “ESPecter shows that threat actors are relying not only on UEFI firmware implants when it comes to pre-OS persistence and, despite the existing security mechanisms like UEFI Secure Boot, invest their time into creating malware that would be easily blocked by such mechanisms, if enabled and configured correctly.”

The recent development is the fourth real-world case of UEFI malware discovered so far. The other cases being LoJax, MosaicRegressor, and the most recent being FinFisher. FinFisher was found leveraging the same method of compromise to persist on the ESP in the form of a patched Windows Boot Manager. UEFI Bootkit Targeting Windows Computers Since 2012-1According to the researchers, “By patching the Windows Boot Manager, attackers achieve execution in the early stages of the system boot process, before the operating system is fully loaded. This allows ESPecter to bypass Windows Driver Signature Enforcement (DSE) in order to execute its own unsigned driver at system startup.”

The ESPecter gains persistence on systems that support Legacy BIOS Boot Mode, by altering the master boot record (MBR) code located in the first physical sector of the disk drive to interfere with the loading of the boot manager and load the malicious kernel driver. It is designed to load additional user-mode payloads and set up the keylogger, before erasing its own traces from the machine.

Finally, the driver is used to inject next-stage user-mode components into specific system processes to establish communications with a remote server. This enables an attacker to commandeer the compromised machine and take over control. It further downloads and executes more malware or commands fetched from the server.

The bootkit has not been attributed to any particular nation-state or hacking group by ESET. Though it is likely to have Chinese links, as it included Chinese debug messages in the user mode client payload.

The researchers noted, “Even though Secure Boot stands in the way of executing untrusted UEFI binaries from the ESP, over the last few years we have been witness to various UEFI firmware vulnerabilities affecting thousands of devices that allow disabling or bypassing Secure Boot. This shows that securing UEFI firmware is a challenging task and that the way various vendors apply security policies and use UEFI services is not always ideal.”

Related Articles:

LockBit 2.0 Ransomware Strikes Israeli Defense Firm E.M.I.T. Aviation Consulting Ltd
Fake Amnesty International Antivirus for Pegasus Can Hacks PCs with Malware
Mariana Trench – Latest Facebook Tool Finds Security and Privacy Bugs in Android Apps