UEFI Bootkit Targeting Windows PCs Spotted

A new UEFI malware targeting Windows systems was built by an unknown Chinese cybercriminal who has yet to be recognized.

UEFI Bootkit Targeting Windows PCs Spotted
UEFI Bootkit Targeting Windows PCs Spotted | Image credits: MakeUseOf

According to a report published on Tuesday by security researchers, threat actors have been using an undocumented UEFI (Unified Extensible Firmware Interface) bootkit to acquire persistence on Windows PCs since at least 2012, according to The Hacker News. That technology, which is designed to provide security prior to installing the operating system, is quickly becoming a tempting target.

Slovak cybersecurity firm ESET codenamed the new malware ESPecter because it circumvents Microsoft Windows Driver Signature Enforcement to load its own unsigned driver that can be used for espionage activities such as keylogging, document theft, and screen monitoring by periodically taking screenshots, in addition to circumventing Microsoft Windows Driver Signature Enforcement. The path that the malware took to get into the system is still a mystery.

Since its inception as a bootkit for computers with legacy BIOSes in 2012, ESPecter's creators have added compatibility for new Windows OS versions while making only minor changes to the malware's modules. ESPecter's malware was moved from legacy BIOS computers to new UEFI platforms in 2020, which was the most significant shift.

A new case of UEFI malware has been discovered in the wild, following the discovery of LoJax and MosaicRegressor, as well as the most recent discovery of FinFisher, which used a modified Windows Boot Manager to remain on the ESP.

ESET researchers Anton Cherepanov and Martin Smolár said, "ESPecter shows that threat actors are relying not only on UEFI firmware implants when it comes to pre-OS persistence and, despite the existing security mechanisms like UEFI Secure Boot, invest their time into creating malware that would be easily blocked by such mechanisms, if enabled and configured correctly,"

The bootkit could have been produced by an unknown Chinese threat actor

The persistence of ESPecter is achieved by modifying the master boot record (MBR) code located in the first physical sector of the disk drive in order to interfere with the boot manager and load a malicious kernel driver, which is designed to load additional user-mode payloads and configure the keylogger before erasing its own traces from the computer.

Injecting next-stage user-mode components into specific system processes allows an attacker to establish communications with a remote server, allowing him or her to commandeer the compromised machine and take over control, as well as download and execute additional malware or commands fetched from the remote server, according to the MBR or UEFI specifications.

But the existence of Chinese debug messages in the user-mode client payload, according to ESET, has led to suspicions that the bootkit is the work of a Chinese-speaking threat actor who has yet to be identified.