New UEFI bootkit used to backdoor Windows devices since 2012

LASER_oneXM

Level 37
Verified
Feb 4, 2016
2,588
14,581
A newly discovered and previously undocumented UEFI (Unified Extensible Firmware Interface) bootkit has been used by attackers to backdoor Windows systems by hijacking the Windows Boot Manager since 2012.

Bootkits are malicious code planted in the firmware (sometimes targeting UEFI) invisible to security software that runs within the operating system since the malware is designed to load before everything else, in the initial stage of the booting sequence.

They provide threat actors with persistence and control over an operating systems' boot process, making it possible to sabotage OS defenses bypassing the Secure Boot mechanism if the system boot security mode is not properly configured. Enabling 'thorough boot' or 'full boot' mode would block such malware as the NSA explains).

Persistence on the EFI System Partition​

The bootkit, dubbed ESPecter by ESET researchers who found it, achieves persistence on the EFI System Partition (ESP) of compromised devices by loading its own unsigned driver to bypass Windows Driver Signature Enforcement.
 

jetman

Level 9
Verified
Jun 6, 2017
403
1,434
Would the Microsoft Defender Offline Scan (or similar) discover such a rootkit ? This performs a scan before the Windows operating system loads I think.
 

plat1098

Level 25
Verified
Sep 13, 2018
1,488
12,945
Clipped from BC article:

They provide threat actors with persistence and control over an operating systems' boot process, making it possible to sabotage OS defenses bypassing the Secure Boot mechanism if the system boot security mode is not properly configured. Enabling 'thorough boot' or 'full boot' mode would block such malware as the NSA explains).

If this malware can bypass Secure Boot, there may well be others in the future. Secure Boot sure was a hassle to locate and enable on here for Windows 11 so this finding is a little disappointing. I had higher expectations for Secure Boot.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,267
42,705
...
If this malware can bypass Secure Boot, there may well be others in the future. Secure Boot sure was a hassle to locate and enable on here for Windows 11 so this finding is a little disappointing. I had higher expectations for Secure Boot.

The attack required disabling Secure Boot.

For Windows OS versions that support Secure Boot, the attacker would need to disable it. For now, it’s unknown how the ESPecter operators achieved this, but there are a few possible scenarios:

  • The attacker has physical access to the device (historically known as an “evil maid” attack) and manually disables Secure Boot in the BIOS setup menu (it is common for the firmware configuration menu to still be labeled and referred to as the “BIOS setup menu”, even on UEFI systems).
  • Secure Boot was already disabled on the compromised machine (e.g., user might dual-boot Windows and other OSes that do not support Secure Boot).
  • Exploiting an unknown UEFI firmware vulnerability that allows disabling Secure Boot.
  • Exploiting a known UEFI firmware vulnerability in the case of an outdated firmware version or a no-longer-supported product.


Due to vulnerabilities in UEFI firmware such attacks were predicted several years ago. Microsoft developed a new security boundary (Virtualization-based Security) to protect Windows kernel.
Of course, if the attacker would have physical access to the machine then he/she could disable both VBS and Secure Boot.:(
 
Last edited:
Top