A rare Windows UEFI boot kit malware has been discovered, offering attackers a path to cyber-espionage.
Researchers have warned that the boot kit’s goal is to install a full featured backdoor on a target PC which, “supports a rich set of commands and contains various automatic data exfiltration capabilities, including document stealing, keylogging and monitoring of the victim’s screen by periodically taking screenshots.”
The UEFI (Unified Extensible Firmware Interface) is the embedded firmware component in computing chips responsible for securing the computing environment upon start up and loading the operating system. As such, it’s an ideal place to plant malware to ensure its persistence, since UEFI loads no matter what changes or restarts the OS goes through.
The new malicious bootkit, which researchers have named ESPecter, camps out on the EFI System Partition (ESP) portion of the embedded technology. The ESP contains the boot loaders or kernel images that UEFI uses to start installed OSes and various utilities at boot time.
Researchers said: “Attackers achieve execution in the early stages of the system-boot process, before the operating system is fully loaded. This allows ESPecter to bypass Windows Driver Signature Enforcement (DSE) in order to execute its own unsigned driver at system start up.”
The driver that injects other user-mode components into specific system processes, and those in turn are used to hook up with a command-and-control (C2) server. After that connection is made, attackers can commence downloading and running additional malware or executing various commands to take full control of the machine.
Interestingly, the researchers analysis of ESPecter shows that its beginnings stretch back to 2012 and using Master Boot Record (MBR) modification as its persistence method. However, development has been fairly dormant: since then, there have only been “insignificant changes” to the code until last year.
Researchers aren’t sure yet how it’s distributed, but once ESPecter finds its way onto a PC, it begins its UEFI infection by modifying a legitimate Windows Boot Manager binary. Researchers said: “In order to successfully drop its malicious payload, ESPecter needs to modify the Boot Manager in order to bypass integrity checks [that prevent execution of rogue bootkit elements].”
Boot Manager is responsible for finding an installed OS within the ESP and transferring the execution task for that OS to a kernel loader. That OS kernel loader then loads and executes the next component in the boot chain – the Windows kernel itself, which contains the linchpin DSE security check mentioned earlier.
Researchers said that they don’t know how ESPecter is specifically distributed, but regarding the initial compromise, it’s likely that it takes advantage of one of the various UEFI firmware vulnerabilities that allow disabling or bypassing Secure Boot.
Secure Boot is a security standard for PCs using UEFI that ensures that devices boot using only trusted software. For most computers, it’s the main barrier to compromise at the startup layer, and it must be disabled in order to successfully boot with a modified boot manager.
The good news for businesses is that by keeping PCs up-to-date and correctly configured, they can help thwart an ESPecter attack from being successfully carried out. Neuways advises updating PCs with security patches and updates as soon as they are issued by the provider. This is one of the key factors to a safe and secure IT system.