ESPecter Description

A malware threat that has potentially been able to avoid detection for nearly a decade has finally been caught by infosec researchers. Discovered by cybersecurity experts, the threat named ESPecter is a bootkit designed to load unsigned drivers to the infected systems ESP (EFI System Partition) drive.

The researchers traced the origins of the threat to at least 2012. During this significant period, the most drastic change undergone by the malware is the switch from targeting legacy BIOS and Master Boot Record to their successor UEFI. The Unified Extensible Firmware Interface or UEFI is a crucial component that connects the machine's firmware with the operating system.

So far ESPecter has not been attributed to any specific threat actor, due to lack of sufficient evidence. Certain signs found in the threat's components, such as its debug messages, suggest that its creators are Chinese-speaking individuals. The distribution method used in the delivery of ESPecter is similarly unknown at the moment. The threat actor could be using a zero-day UEFI vulnerability, a known but still unpatched bug, or may have physical access to the targeted machines.

Technical Details

ESPecter places itself in the ESP and establishes its persistence via a patch applied to the Windows Boot Manager. Furthermore, the patch provides ESPecter with the ability to completely bypass the Windows Driver Signature Enforcement (DSE) protocols and load its own unsigned drivers to the compromised machine. The threat also can inject additional unsafe components to establish a connection to the attacker's Command-and-Control (C2, C&C) server.

Researchers discovered keylogging and file-stealing modules on the systems infected with ESPecter, indicating that the main goal of the threat actor could be cyber-espionage and surveillance of the chosen targets. Indeed, ESPecter also is equipped with the functionality to take arbitrary screenshots and store them in a hidden directory, alongside the collected key logs and documents.

However, to perform its threatening activities, ESPecter needs the Secure Boot feature on the system to be disabled. Secure Boot was first introduced as a Windows feature with the release of Windows 8 so all earlier versions of the OS automatically become susceptible to an ESPecter attack. Using a more recent Windows version is not enough, though. Numerous UEFI firmware vulnerabilities have emerged in the past couple of years that allow attackers to disable or outright bypass Secure Boot.