Posted on Leave a comment

A New UEFI Bootkit That Targets Windows Computers.

Cybersecurity firm ESET had identified a new malware was codenamed “ESPecter” due to its ability to persist on the ESP(EFI System Partition)  as well as  Microsoft Windows Driver Signature Enforcement to load its own unsigned driver that can be used to facilitate espionage activities such as document theft, keylogging, and screen monitoring by periodically capturing screenshots.

After all the years of insignificant changes, those behind ESPecter apparently decided to move their malware from legacy BIOS systems to modern UEFI systems. They decided to achieve this by modifying a legitimate Windows Boot Manager binary (bootmgfw.efi) located on the ESP while supporting multiple Windows versions spanning Windows 7 through Windows 10 inclusive. As we mentioned earlier, this method has one drawback – it requires that the Secure Boot feature be disabled in order to successfully boot with a modified boot manager. However, it’s worth mentioning that the first Windows version supporting Secure Boot was Windows 8, meaning that all previous versions are vulnerable to this persistence method.” reads the blogpost.

According to a technical report published by ESET researchers Martin Smolar and Anton Cherepanov the  threat actors aren’t dependent on UEFI firmware implants for pre-OS persistence. Despite security features such as UEFI Secure Boot they focus their efforts on creating malware that is easily avoided by such safeguards.

Source: ESET

Interestingly, we traced the roots of this threat back to at least 2012, previously operating as a bootkit for systems with legacy BIOSes. Despite ESPecter’s long existence, its operations and upgrade to UEFI went unnoticed and have not been documented until now. Note that the only similarity between ESPecter and the Kaspersky FinSpy find is that they share the UEFI boot manager compromise approach.“reads the blogpost.

MBR or UEFI variant is used as the driver’s installation results in the injection of next-stage user-mode components into specific system processes to establish communications with a remote server allowing an attacker to commandeer the compromised machine and take control as well as download and execute more malware from the server.

Finally the researchers noted that , This demonstrates  that UEFI firmware is a difficult task and how vendors apply security policies use UEFIservices is not always ideal. “Even though Secure Boot prevents the execution of untrusted UEFI binaries from the ESP, we have been witness to various UEFI firmware vulnerabilities affecting thousands of devices over the last few years that allow disabling or bypassing Secure Boot.

Additionally ESET security team informed that they are not aware of its spreading mechanism and cannot be attribute ESPecter to any known threat actor, but the Chinese debug messages in the associated user-mode client component (as seen in below figure) leads us to believe with a low confidence that an unknown Chinese-speaking threat actor is behind ESPecter.

Indicators of Compromise (IoCs)

C&C IP addresses and domains from configurations

196.1.2[.]111
103.212.69[.]175
183.90.187[.]65
61.178.79[.]69
swj02.gicp[.]net
server.microsoftassistant[.]com
yspark.justdied[.]com
crystalnba[.]com

Legacy version installers

ABC03A234233C63330C744FDA784385273AF395B
DCD42B04705B784AD62BB36E17305B6E6414F033
656C263FA004BB3E6F3EE6EF6767D101869C7F7C
A8B4FE8A421C86EAE060BB8BF525EF1E1FC133B2
3AC6F9458A4A1A16390379621FDD230C656FC444
9F6DF0A011748160B0C18FB2B44EBE9FA9D517E9
2C22AE243FDC08B84B38D9580900A9A9E3823ACF
08077D940F2B385FBD287D84EDB58493136C8391
1D75BFB18FFC0B820CB36ACF8707343FA6679863
37E49DBCEB1354D508319548A7EFBD149BFA0E8D
7F501AEB51CE3232A979CCF0E11278346F746D1F

Compromised Windows Boot Manager

27AD0A8A88EAB01E2B48BA19D2AAABF360ECE5B8
8AB33E432C8BEE54AE759DFB5346D21387F26902

Source: ESET

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply