Researchers have uncovered a new UEFI bootkit that has the capability to infect Windows machines from Windows 7 up through 10 and remain persistent on the EFI System Partition by installing a malicious Windows Boot Manager.
The new malware is called ESPecter and is somewhat similar, but unrelated to, another UEFI bootkit named FinSpy that Kaspersky disclosed last week. Its origins stretch back to at least 2012 and it has a number of interesting capabilities, including the ability to bypass the Windows Driver Signature Enforcement to load a malicious driver as part of its infection process. ESPecter’s initial infection vector isn’t clear at this point, but researchers at ESET, who discovered the malware, believe it is mainly used for information stealing and espionage and said it may have Chinese authors.
UEFI is the successor to the older BIOS and is designed to be the first thing that runs on boot up. UEFI bootkits are rare and most of the ones that have been identified in the wild have been SPI flash implants rather than ESP implants. The purpose of both types of UEFI malware is to gain control of the lowest level of the machine’s boot process and remain hidden and persistent without any obvious signs of compromise. In the case of ESPecter, this is achieved by patching the Windows Boot Manager, which controls the boot process from the time the machine is started up.
“By patching the Windows Boot Manager, attackers achieve execution in the early stages of the system boot process, before the operating system is fully loaded. This allows ESPecter to bypass Windows Driver Signature Enforcement (DSE) in order to execute its own unsigned driver at system startup,” Martin Smolár and Anton Cherepanov of ESET wrote in their analysis of the malware.
“By patching the Windows Boot Manager, attackers achieve execution in the early stages of the system boot process.”
“This driver then injects other user-mode components into specific system processes to initiate communication with ESPecter’s C&C server and to allow the attacker to take control of the compromised machine by downloading and running additional malware or executing C&C commands.”