ESPecter comes through the back door and bypasses classic virus protection solutions. ESET researchers have discovered a new form of UEFI malware. The new type of malware embeds itself in the EFI system partition (ESP).
With ESPecter, the experts from the European IT security manufacturer have discovered a so-called UEFI boot kit that bypasses the Windows driver signature and can load its own unsigned driver, which makes spying activities much easier. The current boot kit is a further development of the UEFI malware previously discovered by ESET. ESET security solutions with integrated UEFI scanners protect private and company computers from this possible weak point.
ESPecter has been active since 2012
“We were able to trace the roots of ESPecter back to 2012. The spy program was previously used for systems with outdated BIOS. Despite its long existence, ESPecter and its operations as well as the upgrade to UEFI went unnoticed for a long time, ”says ESET researcher Anton Cherepanov, who discovered the UEFI boot kit together with Martin Smolár.
Similar variant already in use earlier
ESPecter was discovered on a compromised computer along with a keylogging and document theft function. For this reason, ESET researchers believe that ESPecter is mainly used for espionage purposes. Using ESET telemetry, ESET researchers were able to date the beginnings of this boot kit back to at least 2012. It is interesting that the components of the malware have hardly changed over the years. The differences between the 2012 and 2020 versions are not as significant as one would expect. After all these years of rather insignificant changes, the developers behind ESPecter have apparently decided to convert their malware from outdated BIOS systems to modern UEFI systems.
Tips to protect against UEFI bootkits
“ESPecter shows that the developers behind the malware rely on nesting in the UEFI firmware and carry it out despite existing security mechanisms. Such techniques can easily be blocked with UEFI Secure Boot, ”continues Martin Smolár. To protect themselves from ESPecter or similar threats, ESET advises users to follow these simple rules:
- Always use the latest firmware version.
- Make sure the system is properly configured and Secure Boot is enabled.
- Configure Privileged Account Management (PAM) in your company to prevent attackers from accessing privileged accounts that are required for installing the boot kit.
The use of a security solution with a UEFIScanner also protects against such threats. ESET has integrated this technology into its endpoint security solutions for businesses and private users as standard.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.