ESPecter
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 1 |
| First Seen: | October 8, 2021 |
| Last Seen: | October 8, 2021 |
| OS(es) Affected: | Windows |
A malware threat that has potentially been able to avoid detection for nearly a decade has finally been caught by infosec researchers. Discovered by cybersecurity experts, the threat named ESPecter is a bootkit designed to load unsigned drivers to the infected systems ESP (EFI System Partition) drive.
The researchers traced the origins of the threat to at least 2012. During this significant period, the most drastic change undergone by the malware is the switch from targeting legacy BIOS and Master Boot Record to their successor UEFI. The Unified Extensible Firmware Interface or UEFI is a crucial component that connects the machine's firmware with the operating system.
So far ESPecter has not been attributed to any specific threat actor, due to lack of sufficient evidence. Certain signs found in the threat's components, such as its debug messages, suggest that its creators are Chinese-speaking individuals. The distribution method used in the delivery of ESPecter is similarly unknown at the moment. The threat actor could be using a zero-day UEFI vulnerability, a known but still unpatched bug, or may have physical access to the targeted machines.
Technical Details
ESPecter places itself in the ESP and establishes its persistence via a patch applied to the Windows Boot Manager. Furthermore, the patch provides ESPecter with the ability to completely bypass the Windows Driver Signature Enforcement (DSE) protocols and load its own unsigned drivers to the compromised machine. The threat also can inject additional unsafe components to establish a connection to the attacker's Command-and-Control (C2, C&C) server.
Researchers discovered keylogging and file-stealing modules on the systems infected with ESPecter, indicating that the main goal of the threat actor could be cyber-espionage and surveillance of the chosen targets. Indeed, ESPecter also is equipped with the functionality to take arbitrary screenshots and store them in a hidden directory, alongside the collected key logs and documents.
However, to perform its threatening activities, ESPecter needs the Secure Boot feature on the system to be disabled. Secure Boot was first introduced as a Windows feature with the release of Windows 8 so all earlier versions of the OS automatically become susceptible to an ESPecter attack. Using a more recent Windows version is not enough, though. Numerous UEFI firmware vulnerabilities have emerged in the past couple of years that allow attackers to disable or outright bypass Secure Boot.
