[TheRecord] Security researchers find another UEFI bootkit used for cyber-espionage

The number of UEFI bootkits used in targeted attacks has been slowly growing in recent years, highlighting that threat actors have found reliable and stealthy methods to abuse the UEFI component to deploy highly persistent malware on targeted systems using a mechanism thought to be more secure than the older BIOS technology.

Past examples of UEFI bootkits include:

FinSpy – a UEFI bootkit component used with the government-grade FinFisher spyware, discovered last week by security firm Kaspersky.Demodex – a UEFI bootkit used by a Chinese cyber-espionage group since July 2020, also disclosed last week by security firm Kaspersky.LoJax – a UEFI bootkit used by Russian state hackers since 2018 in attacks across Europe.Hacking Team Vector EDK – a UEFI bootkit part of the now-defunct HackingTeam’s malware arsenal.DerStarke and QuarkMatter – UEFI rootkits part of the CIA’s hacking tools leaked in 2016 part of the Vault7 trove.

The latest addition to this list is ESPecter, a UEFI bootkit that was detailed for the first time in a report published today by Slovak security firm ESET.

Attacks using this new malware were spotted as far back as 2012. However, ESET researchers said that ESPecter didn’t start out as a UEFI bootkit from the get-go, with initial versions being configured to attack systems using legacy BIOS components.

But ESET said that in 2020, the attackers upgraded the ESPecter code to attack modern UEFI systems.

“What is interesting is that the malware’s components have barely changed over all these years and the differences between 2012 and 2020 versions are not as significant as one would expect,” ESET researchers Anton Cherepanov and Martin Smolár explained today.

ESET researchers said they still don’t know how attackers are carrying out the attacks in the first stages. It’s unclear if they are gaining physical access to hacked systems or are using classic phishing and boobytrapped Office documents to deploy ESPecter on a target’s network.

However, once the installation process begins, the initial ESPecter components modify the Windows Boot Manager component and bypass the Windows Driver Signature Enforcement (DSE) to load and run an unsigned malicious driver — the actual ESPecter bootkit payload.

Image: ESET

After installing this latter component, ESET said that attackers usually use ESPecter to deploy other malware and survive OS reinstalls. Malware spotted in past attacks includes a backdoor trojan that attackers used to search for sensitive files on the local system, take periodic screenshots of the victim’s screen, and run a keylogger to monitor key presses.

While ESET didn’t connect or attribute ESPecter with any known major threat actor, the advance and complex nature of the code, along with its silent use for target monitoring, led researchers to believe they were looking at a state-sponsored cyber-espionage tool.

In addition, the ESET team also pointed out that ESPecter is also the second known UEFI bootkit that (ab)uses the EFI System Partition (ESP) as its entry point, after the recently discovered FinSpy, which is different from other past UEFI bootkits, most of which use the UEFI SPI Flash memory.

The post Security researchers find another UEFI bootkit used for cyber-espionage appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[BleepingComputer] Google Chrome to no longer show secure website indicators

Google Chrome will no longer show whether a site you are visiting is secure and only show when you visit an insecure website. […] Source: Read More (BleepingComputer)

Read More

[SecurityWeek] Enterprise Technology Management Provider Oomnitza Raises $20 Million

All posts, Security Week

SaaS-based enterprise technology management (ETM) solutions provider Oomnitza this week announced that it has raised $20 million in growth funding. To date, the company has raised $35 million. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Daily NCSC-FI news followup 2021-08-17

BadAlloc Vulnerability Affecting BlackBerry QNX RTOS us-cert.cisa.gov/ncas/alerts/aa21-229a On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerabilityCVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries. myös: www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_24/2021 Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html Today, Mandiant disclosed […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.