Skip to content

ESET Research discovers ESPecter, a UEFI bootkit for cyberespionage

BRATISLAVA — ESET researchers have discovered a previously undocumented real-world UEFI bootkit that persists on the EFI System Partition (ESP). The bootkit, which ESET has named ESPecter, can bypass Windows Driver Signature Enforcement to load its own unsigned driver, which facilitates its espionage activities. ESPecter is the second discovery of a UEFI bootkit persisting on the ESP and shows how real-world UEFI threats are no longer limited to SPI flash implants as used by Lojax, which was discovered by ESET in 2018.

ESPecter was discovered on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities, which is why ESET Research believes ESPecter is mainly used for espionage. “Interestingly, we traced the roots of this threat back to at least 2012; it was previously operating as a bootkit for systems with legacy BIOSes. Despite ESPecter’s long existence, its operations and upgrade to UEFI went unnoticed and have not been documented until now,” says ESET researcher Anton Cherepanov, who discovered and analyzed the threat with ESET researcher Martin Smolár.

“In the last few years, we have seen proof-of-concept examples of UEFI bootkits, leaked documents, and even leaked source code suggesting the existence of real UEFI malware either in the form of SPI flash implants or ESP implants. Despite all of the above, only four real-world cases of UEFI malware have been discovered, including ESPecter,” explains Cherepanov.

Looking at ESET telemetry, ESET Research was able to date the beginnings of this bootkit back to at least 2012. What is interesting is that the malware’s components have barely changed over all these years, and the differences between the 2012 and 2020 versions are not as significant as one would expect. After all the years of insignificant changes, the threat actors behind ESPecter apparently decided to move their malware from legacy BIOS systems to modern UEFI systems.

The second payload deployed by ESPecter is a backdoor that supports a rich set of commands and contains various automatic data exfiltration capabilities, including document stealing, keylogging, and monitoring of the victim’s screen by periodically taking screenshots. All of the collected data is stored in a hidden directory.

“ESPecter shows that threat actors are relying on UEFI firmware implants when it comes to pre-OS persistence and, despite the existing security mechanisms like UEFI Secure Boot, invest their time into creating malware that would be easily blocked by such mechanisms, if enabled and configured correctly,” adds Smolár.

To keep safe from ESPecter or threats similar to it, ESET advises users to follow these simple rules: always use the latest firmware version; make sure the system is properly configured and Secure Boot is enabled; and configure Privileged Account Management to help prevent adversaries from accessing privileged accounts needed for bootkit installation.

For more technical details about ESPecter, read the blogpost “UEFI threats moving to the ESP: Introducing ESPecter bootkit” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.