ESPecter Bootkit Malware Haunts Victims with Persistent Espionage

The rare UEFI bootkit drops a fully featured backdoor on PCs and gains the ultimate persistence by modifying the Windows Boot Manager.

A rare Windows UEFI bootkit malware has been discovered, offering attackers a path to cyber-espionage, researchers are warning.

According to ESET, the bootkit’s goal is to install a full featured backdoor on a target PC, which “supports a rich set of commands and contains various automatic data exfiltration capabilities, including document stealing, keylogging and monitoring of the victim’s screen by periodically taking screenshots.”

Startup Security Gets the Boot

The UEFI (Unified Extensible Firmware Interface) is the embedded firmware component in computing chips responsible for securing the computing environment upon startup and loading the operating system. As such, it’s an ideal place to plant malware to ensure its persistence, since UEFI loads no matter what changes or restarts the OS goes through.

The new malicious bootkit, which researchers at ESET have named ESPecter, camps out on the EFI System Partition (ESP) portion of the embedded technology. The ESP contains the boot loaders or kernel images that UEFI uses to start installed OSes and various utilities at boot time.

“Attackers [thus] achieve execution in the early

Read More: