This bootkit has been used to backdoor Windows devices for almost a decade
Only the second-known real-world UEFI bootkit
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Cybersecurityresearchers have found a previously undocumented Unified Extensible Firmware Interface (UEFI) bootkit, which has found a neat way to bypass the SecureBoot protections.
In their thorough breakdown of the bootkit, dubbed ESPecter, theESETresearchers who found it, note that themalwareloads its own unsigned driver to bypass Windows Driver Signature Enforcement (WDSE) and dwell permanently inside the EFI System Partition (ESP) of compromised devices.
“ESPecter was encountered on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities, which is why we believe ESPecter is mainly used for espionage,” note the researchers in theirblog post.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
Click here to start the survey in a new window«
The researchers describe ESPecter as the second real-world example of a UEFI bootkit that presents itself as a patched Windows Boot Manager before archiving persistence on the ESP.
Overriding secure boot
Interestingly, the researchers note that ESPecter has been in operation since at least 2012, when it was used to target systems with legacy BIOS.
In their detailed analysis, the researchers observe that ESPecter bypasses WDSE in order to execute its own unsigned driver as the infected computer boots. It is this malicious driver that deploys other components into particular system processes in order for the malware to communicate with its command and control (C2) server.
The researchers argue that while Secure Boot prevents the execution of untrusted UEFI binaries, over the years there have been several documentedUEFI firmware vulnerabilitiesthat can be exploited to bypass or disable the security mechanism.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Referring to securing UEFI firmware as “a challenging task,” the researchers observe that the process is further compounded by the fact that various vendors apply security policies and use UEFI services differently.
In fact, they go as far as to suggest that malware such as ESPecter could be easily blocked by security mechanisms such as Secure Boot, if only it was enabled and configured correctly.
ViaBleepingComputer
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Huge Black Friday Samsung sale: save up to $1,900 on QLED, OLED TVs, and more
