Cybersecurity firm ESET had identified a new malware was codenamed “ESPecter” due to its ability to persist on the ESP(EFI System Partition) as well as Microsoft Windows Driver Signature Enforcement to load its own unsigned driver that can be used to facilitate espionage activities such as document theft, keylogging, and screen monitoring by periodically capturing screenshots.
“After all the years of insignificant changes, those behind ESPecter apparently decided to move their malware from legacy BIOS systems to modern UEFI systems. They decided to achieve this by modifying a legitimate Windows Boot Manager binary (bootmgfw.efi) located on the ESP while supporting multiple Windows versions spanning Windows 7 through Windows 10 inclusive. As we mentioned earlier, this method has one drawback – it requires that the Secure Boot feature be disabled in order to successfully boot with a modified boot manager. However, it’s worth mentioning that the first Windows version supporting Secure Boot was Windows 8, meaning that all previous versions are vulnerable to this persistence method.” reads the blogpost.
According to a technical report published by ESET researchers Martin Smolar and Anton Cherepanov the threat actors aren’t dependent on UEFI firmware implants for pre-OS persistence. Despite security features such as UEFI Secure Boot they focus their efforts on creating malware that is easily avoided by such safeguards.
“Interestingly, we traced the roots of this threat back to at least 2012, previously operating as a bootkit for systems with legacy BIOSes. Despite ESPecter’s long existence, its operations and upgrade to UEFI went unnoticed and have not been documented until now. Note that the only similarity between ESPecter and the Kaspersky FinSpy find is that they share the UEFI boot manager compromise approach.“reads the blogpost.
MBR or UEFI variant is used as the driver’s installation results in the injection of next-stage user-mode components into specific system processes to establish communications with a remote server allowing an attacker to commandeer the compromised machine and take control as well as download and execute more malware from the server.
Finally the researchers noted that , This demonstrates that UEFI firmware is a difficult task and how vendors apply security policies use UEFIservices is not always ideal. “Even though Secure Boot prevents the execution of untrusted UEFI binaries from the ESP, we have been witness to various UEFI firmware vulnerabilities affecting thousands of devices over the last few years that allow disabling or bypassing Secure Boot.
Additionally ESET security team informed that they are not aware of its spreading mechanism and cannot be attribute ESPecter to any known threat actor, but the Chinese debug messages in the associated user-mode client component (as seen in below figure) leads us to believe with a low confidence that an unknown Chinese-speaking threat actor is behind ESPecter.
Indicators of Compromise (IoCs)
C&C IP addresses and domains from configurations
Legacy version installers
Compromised Windows Boot Manager