The rare UEFI bootkit drops a fully featured backdoor on PCs and gains the ultimate persistence by modifying the Windows Boot Manager.
A rare Windows UEFI bootkit malware has been discovered, offering attackers a path to cyber-espionage, researchers are warning.
According to ESET, the bootkit’s goal is to install a full featured backdoor on a target PC, which “supports a rich set of commands and contains various automatic data exfiltration capabilities, including document stealing, keylogging and monitoring of the victim’s screen by periodically taking screenshots.”
Startup Security Gets the Boot
The UEFI (Unified Extensible Firmware Interface) is the embedded firmware component in computing chips responsible for securing the computing environment upon startup and loading the operating system. As such, it’s an ideal place to plant malware to ensure its persistence, since UEFI loads no matter what changes or restarts the OS goes through.
The new malicious bootkit, which researchers at ESET have named ESPecter, camps out on the EFI System Partition (ESP) portion of the embedded technology. The ESP contains the boot loaders or kernel images that UEFI uses to start installed OSes and various utilities at boot time.
“Attackers [thus] achieve execution in the early stages of the system-boot process, before the operating system is fully loaded,” according to ESET’s ESPecter analysis, issued Tuesday. “This allows ESPecter to bypass Windows Driver Signature Enforcement (DSE) in order to execute its own unsigned driver at system startup.”
That driver then injects other user-mode components into specific system processes, researchers noted; and those in turn are used to hook up with a command-and-control (C2) server. After that connection is made, attackers can commence downloading and running additional malware or executing various commands to take full control of the machine.
Interestingly, ESET’s technical analysis of ESPecter shows that its beginnings stretch back to 2012 and using Master Boot Record (MBR) modification as its persistence method. But development has been fairly dormant: Since then, there have only been “insignificant changes” to the code, researchers said, until last year. That’s when its operators moved the malware from targeting legacy BIOS systems to modern UEFI systems.
A Look at ESPecter’s Implementation
Researchers aren’t sure yet how it’s distributed, but once ESPecter finds its way onto a PC, it begins its UEFI infection by modifying a legitimate Windows Boot Manager binary. This binary (bootmgfw.efi) is located on the ESP, according to ESET.
“In order to successfully drop its malicious payload, ESPecter needs to modify the Boot Manager in order to bypass integrity checks [that prevent execution of rogue bootkit elements],” researchers noted.
The Boot Manager is responsible for finding an installed OS within the ESP and transferring the execution task for that OS to a kernel loader. That OS kernel loader then loads and executes the next component in the boot chain – the Windows kernel itself, which contains the linchpin DSE security check mentioned earlier.
To get around the integrity checks and establish persistence during the startup process, ESPecter looks for byte patterns that identify various verification processes, and then it simply patches them. For instance, “ESPecter searches memory for BmFwVerifySelfIntegrity using various byte patterns and modifies this function in a way that it always returns zero, indicating that verification was successful,” researchers explained.
ESPecter also inserts a detour for the function responsible for the aforementioned transferring of execution to the OS kernel. That allows it to “patch the Windows kernel in memory, once it is loaded, but before it is executed,” according to the writeup. “The final stage of the bootkit’s boot code is responsible for disabling DSE by patching the SepInitializeCodeIntegrity kernel function.”
Then, it can seamlessly execute the driver that starts the rest of the ESPecter process.
ESPecter: Bent on Espionage
According to ESET, the driver’s main purpose is to load two different user-mode payloads (WinSys.dll and Client.dll) and to set up a keylogger that intercepts all keyboard activity. After that, it deletes itself.
The WinSys.dll payload periodically pings the C2 server (it finds its address in the malware’s configuration file) to download additional malware or carry out simple commands. The C2 can ask it to upload system information (CPU name, OS version, memory size, ethernet MAC address, list of installed software and so on), fetch and execute new files, restart the PC, or download a new configuration.
Client.dll is the more fully featured payload, which acts as a richly featured backdoor, according to ESET. It sets up its own encrypted communication channel with the C2, after which it waits for one of the following commands:
- Stop backdoor.
- Execute command line received from C2 and capture output using pipes.
- Execute power commands: Log off, power off, reboot or shutdown.
- Take screenshot of foreground window, full screenshot or change automatic screenshotting parameters., depending on the value of the parameter.
- Execute various file system operations.
- Upload collected data and files.
- Execute various service-related commands.
- Execute various process-related commands.
- Modify configuration values.
- Stop/start keylogger.
Defeating Secure Boot Protections
ESET researchers said that they don’t know how ESPecter is specifically distributed, but for initial compromise, it’s likely that it takes advantage of one of the various UEFI firmware vulnerabilities that allow disabling or bypassing Secure Boot.
Secure Boot is a security standard for PCs using UEFI that ensures that devices boot using only trusted software. For most computers, it’s the main barrier to compromise at the startup layer, and it must be disabled in order to successfully boot with a modified boot manager, ESET researchers noted.
“Though Secure Boot stands in the way of executing untrusted UEFI binaries from the ESP, over the last few years we have been witness to various [ways around it],” according to the analysis. “This shows that securing UEFI firmware is a challenging task and that the way various vendors apply security policies and use UEFI services is not always ideal.”
Other than exploiting a vulnerability, other possible scenarios for getting around Secure Boot include the following, according to the analysis:
- The attacker has physical access to the device (historically known as an “evil maid” attack) and manually disables Secure Boot in the BIOS setup menu. It is common for the firmware configuration menu to still be labeled and referred to as the “BIOS setup menu”, even on UEFI systems, ESET pointed out.
- Secure Boot was already disabled on the compromised machine (e.g., user might dual-boot Windows and other OSes that do not support Secure Boot).
- The first Windows version supporting Secure Boot was Windows 8, so machines running all previous versions are vulnerable to the attack.
Thus, keeping PCs up-to-date and correctly configured can help thwart an ESPecter attack.
Bootkits: A Rare Find
Malicious bootkits are rare to find in the wild, ESET noted, with “only three real-world cases of UEFI malware [having] been discovered” prior to ESPecter.
The first was LoJax, discovered by ESET in 2018. Believed to have been used by the Russian advanced persistent threat (APT) known as APT28 (aka Fancy Bear or Sofacy), LoJax is a modified version of Absolute Software’s LoJack recovery software for laptops. LoJack hides on a system’s UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop. Unfortunately, a vulnerable 2009 version had several key bugs, chief among them a configuration module that was poorly secured with weak encryption – which the bad guys took advantage of in order to weaponize it.
Then there was MosaicRegressor, discovered by Kaspersky in 2019. It was spotted in the wild targeting diplomats and members of non-governmental organizations (NGOs) from Africa, Asia and Europe via email. All of the targets had ties to North Korea. MosaicRegressor is based on a customized version of the leaked source code of HackingTeam’s VectorEDK bootkit, according to an analysis at the time.
The third is a new version of the FinSpy surveillance kit uncovered by Kaspersky last week, which has a module that also compromises the Windows UEFI boot manager.
Even though fully fledged bootkits are few and far between, “in the last few years, we have seen proof-of-concept examples of UEFI bootkits (DreamBoot, EfiGuard), leaked documents (DerStarke, QuarkMatter) and even leaked source code (Hacking Team Vector EDK),” according to ESET researchers.
They added that more bootkits are sure to emerge: “It’s no surprise that such a widespread technology [as UEFI] has also become a tempting target for threat actors in their search for ultimate persistence,” they said.
Threatpost has reached out to ESET for details on campaign victimology and other in-the-wild attack details.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the SACUT community.