New UEFI bootkit used to backdoor Windows devices since 2012

guest · Oct 5, 2021

New UEFI bootkit used to backdoor Windows devices since 2012
October 5, 2021
https://www.bleepingcomputer.com/ne...-used-to-backdoor-windows-devices-since-2012/

A newly discovered and previously undocumented UEFI (Unified Extensible Firmware Interface) bootkit has been used by attackers to backdoor Windows systems by hijacking the Windows Boot Manager since 2012.

They provide threat actors with persistence and control over an operating systems' boot process, making it possible to sabotage OS defenses bypassing the Secure Boot mechanism if the system boot security mode is not properly configured. Enabling 'thorough boot' or 'full boot' mode would block such malware as the NSA explains).
Click to expand...

Persistence on the EFI System Partition
The bootkit, dubbed ESPecter by ESET researchers who found it, achieves persistence on the EFI System Partition (ESP) of compromised devices by loading its own unsigned driver to bypass Windows Driver Signature Enforcement.

"ESPecter was encountered on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities, which is why we believe ESPecter is mainly used for espionage," ESET security researchers Martin Smolár and Anton Cherepanov said.
Click to expand...

The malicious driver deployed on compromised Windows computers is used to load two payloads (WinSys.dll and Client.dll) that can also download and execute additional malware.

As the researchers found, WinSys.dll can exfiltrate system info, launch other malware downloaded from the C2 server, restart the PC using ExitProcess (only on Windows Vista), and get new configuration info and save it to the registry.
Client.dll, the second payload, acts as a backdoor with automatic data exfiltration capabilities, including keylogging, document stealing, and screen monitoring via screenshots.
Click to expand...

ESET also found ESPecter versions that target Legacy Boot modes and achieving persistence by altering the MBR code found in the first physical sector of the system disk drive.
Secure Boot doesn't really help
Patching the Windows Boot Manager (bootmgfw.efi) requires for Secure Boot (which helps check if the PC boots using trusted firmware) to be disabled.

As the researchers discovered, attackers have deployed the bootkit in the wild, which means they've found a method to toggle off Secure Boot on targeted devices.
Click to expand...

ESET: UEFI threats moving to the ESP: Introducing ESPecter bootkit

ESET researchers analyze a previously undocumented, real-world UEFI bootkit that persists on the EFI System Partition (ESP). The bootkit, which we’ve named ESPecter, can bypass Windows Driver Signature Enforcement to load its own unsigned driver, which facilitates its espionage activities. Alongside Kaspersky’s recent discovery of the unrelated FinSpy bootkit, it is now safe to say that real-world UEFI threats are no longer limited to SPI flash implants, as used by Lojax.
Click to expand...

xxJackxx · Oct 5, 2021

I hope English is not the primary language of the author and as such I don't want to pick on them too much but I found it a frustrating read. And yes, some of my posts here are no indication of perfect grammar but I am not writing a paid article.

Rasheed187 · Oct 10, 2021

Is it me, or isn't clearly explained how this bootkit would end up on a system? I assume hackers would still need to be able to run a malicious .exe file and this malware will have to install a malicious driver or at least modify the MBR and reboot the system? Also, in theory, anti malware tools should be able to block kernel mode keylogging. But it's of course easier said than done.

itman · Oct 10, 2021

Rasheed187 said: ↑

Is it me, or isn't clearly explained how this bootkit would end up on a system?
Click to expand...

If you read the article thoroughly, your answer is there:

As the researchers discovered, attackers have deployed the bootkit in the wild, which means they've found a method to toggle off Secure Boot on targeted devices.

Even though right now there's no hint of how the ESPecter operators achieved this, there are a few possible scenarios:

The attacker has physical access to the device (historically known as an "evil maid" attack) and manually disables Secure Boot in the BIOS setup menu (it is common for the firmware configuration menu to still be labeled and referred to as the "BIOS setup menu," even on UEFI systems).

Secure Boot was already disabled on the compromised machine (e.g., a user might dual-boot Windows and other OSes that do not support Secure Boot).

Exploiting an unknown UEFI firmware vulnerability that allows disabling Secure Boot.

Exploiting a known UEFI firmware vulnerability (e.g., CVE-2014-2961, CVE-2014-8274, or CVE-2015-0949) in the case of an outdated firmware version or a no-longer-supported product.

Publicly documented attacks using bootkits in the wild are extremely rare — the FinSpy bootkit used to load spyware, Lojax deployed by the Russian-backed APT28 hacker group, MosaicRegressor used by Chinese-speaking hackers, and the TrickBoot module used by the TrickBot gang.
Click to expand...

Also note this bootkit has been discovered on legacy systems via MBR modification. It is also much easy to hack the MBR than the UEFI.

Rasheed187 · Oct 12, 2021

itman said: ↑

If you read the article thoroughly, your answer is there. Also note this bootkit has been discovered on legacy systems via MBR modification. It is also much easy to hack the MBR than the UEFI.
Click to expand...

Yes, but they didn't mention anything about the malicious .exe that started this attack, or perhaps I need to read the article again.

Rasheed187 · Mar 4, 2023

Microsoft should really come up with something better to harden Windows 10/11 against these attacks. For now, it stays important to keep monitoring driver loading, but I'm guessing this can't easily be stopped.

BlackLotus UEFI bootkit can defeat Secure Boot protection

BlackLotus can also do its dirty deeds on a fully updated Windows 11 system. The Slovak security enterprise says the malware is the first publicly known threat designed to abuse the CVE-2022-21894 "Secure Boot Security Feature Bypass Vulnerability." Microsoft fixed this flaw in January 2022. However, bad actors can still exploit it using validly signed binary files not added to the UEFI revocation list.
Click to expand...

https://www.techspot.com/news/97791-blacklotus-uefi-bootkit-can-defeat-secure-boot-protection.html

BlackLotus claims to come with anti-virtual machine (anti-VM), anti-debug, and code obfuscation features to block malware analysis attempts. The seller also claims that security software cannot detect and kill the bootkit as it runs under the SYSTEM account within a legitimate process.

Even more, this tiny bootkit with a size of only 80 kb on disk after installation can disable built-in Windows security protection such as Hypervisor-Protected Code Integrity (HVCI) and Windows Defender and bypass User Account Control (UAC).
Click to expand...

https://www.bleepingcomputer.com/ne...-to-sell-new-blacklotus-windows-uefi-bootkit/

Log in or Sign up

New UEFI bootkit used to backdoor Windows devices since 2012

guest Guest

xxJackxx Registered Member

Rasheed187 Registered Member

itman Registered Member

Rasheed187 Registered Member

Rasheed187 Registered Member

Log in or Sign up

New UEFI bootkit used to backdoor Windows devices since 2012

guest Guest

xxJackxx Registered Member

Rasheed187 Registered Member

itman Registered Member

Rasheed187 Registered Member

Rasheed187 Registered Member

Useful Searches