The malware begins its operation as a bootkit for systems with legacy BIOSes. Later, it was upgraded to provide UEFI support.
The infection stays inside the system partition in the form of a patch applied to the Windows Boot Manager.
This patch allows the malware to evade the security implemented via Windows Driver Signature Enforcement (DSE) protocols and load its unsigned drivers into the device.
Once loaded, these drivers inject other user-mode components that allow it to establish a connection with the attacker’s C2 server.
How do attackers disable Secure Boot?
According to the researchers, this may be achieved using one of the following ways:
The attacker has physical access to a target machine and manually disables the Secure Boot in BIOS setup.
The Secure Boot was already turned off on the targeted machine.
The attackers exploited a zero-day UEFI bug or a known and unpatched flaw in old software or an outdated firmware version.
One of the ESPecter samples used the keylogging and document-stealing functionality module, showing its interest in surveillance.
Once executed, ESPecter deploys a backdoor with commands for cyber spying, alongside key logs/documents.
The malicious code takes screenshots on a regular basis and hides the content inside a hidden directory.
Is it a Chinese campaign?
There is not enough evidence to make a valid association with any threat actor at present. However, there are signs in the malware's components that revealed that the attackers are Chinese-speaking.
Lately, various UEFI firmware vulnerabilities have enabled attackers to disable Secure Boot. Because of these vulnerabilities, most of the legacy systems are at greater risk from bootkits such as ESPecter. Thus, always make sure of applying security patches quickly.