New UEFI Bootkit Performs Espionage

ESPecter infects smartly

• The malware begins its operation as a bootkit for systems with legacy BIOSes. Later, it was upgraded to provide UEFI support.
• The infection stays inside the system partition in the form of a patch applied to the Windows Boot Manager.
• This patch allows the malware to evade the security implemented via Windows Driver Signature Enforcement (DSE) protocols and load its unsigned drivers into the device.
• Once loaded, these drivers inject other user-mode components that allow it to establish a connection with the attacker’s C2 server.

How do attackers disable Secure Boot?

• The attacker has physical access to a target machine and manually disables the Secure Boot in BIOS setup.
• The Secure Boot was already turned off on the targeted machine.
• The attackers exploited a zero-day UEFI bug or a known and unpatched flaw in old software or an outdated firmware version.

Additional insights

• One of the ESPecter samples used the keylogging and document-stealing functionality module, showing its interest in surveillance.
• Once executed, ESPecter deploys a backdoor with commands for cyber spying, alongside key logs/documents.
• The malicious code takes screenshots on a regular basis and hides the content inside a hidden directory.

Is it a Chinese campaign?

Conclusion