"New ESPecter UEFI Bootkit Discovered"
Researchers at ESET have discovered a new Unified Extensible Firmware Interface (UEFI) bootkit that can infect machines running Windows 7 through Windows 10, and maintain persistence on the EFI System Partition through the installation of a malicious Windows Boot Manager. The new malware dubbed ESPecter is similar to the recently disclosed UEFI bootkit named FinSpy. ESPecter's initial infection is still unclear, but it is believed to be mainly used to steal information and carry out espionage. Most UEFI bootkits discovered in the wild have been SPI flash implants rather than ESP implants, both of which aim to gain control of the lowest level of the machine's boot process as well as remain hidden and persistent without any apparent signs of compromise. In regard to ESPecter, this is achieved by patching the Windows Boot Manager that controls the boot process from the time the machine starts up. Attackers can achieve execution early in the system boot process before the operating system is fully loaded by patching the Windows Boot Manager. This allows ESPecter to circumvent Windows Driver Signature Enforcement (DSE) to launch its unsigned driver at the system startup. The unsigned driver then injects other user-mode components into specific processes to begin communication with the malware's command-and-control (C&C) server and enable the threat actor to take over the compromised machine by downloading additional malware or executing C&C commands. This article continues to discuss the history and key findings surrounding ESPecter.