ESpecter Bootkit Has Been Planting Backdoors Since 2012

ESpecter is a malicious implant, which has been identified as a bootkit. Although this malware was identified just recently, it has been active since 2012 – this shows how stealthy it has the ability to be. Of course, its ability to avoid security tools is not its only reason for this – it has not been used in large-scale attacks either. Instead, its creators appears to have been using the ESpecter bootkit in targeted attacks, with a very limited number of victims.

Over the past decade, specific sections of ESpecter have went under massive changes to make them compatible with current computer systems. For example, older variants worked by infiltrating the BIOS and Master Boot Record (MBR.) However, contemporary systems use the Unified Extensible Firmware Interface (UEFI) prior to loading the OS. This is why later version of ESpecter focused on infiltrating the UEFI component.

What Malware Did the ESpecter Bootkit Deploy?

Typically, bootkits are used in combination with other high-profile malware that is difficult to detect. In these campaigns, the criminals often used a custom-built backdoor that the ESpecter loaded automatically. Thanks to this backdoor, the criminals would be able to steal files, record keystrokes, and execute remote commands. These features probably mean that the purpose of the ESpecter campaigns was espionage.

One interesting tidbit of information about the ESpecter attack is that it only works on systems, which have the Secure Boot feature disabled. This feature was introduced in Windows 8, so all Windows machines running Windows 8 or newer could be safe from ESpecter thanks to the Secure Boot feature. There is not enough information about the specific methods used to plant the ESpecter on computers. Experts suggest that the attackers may have had physical access to their victim's machines, or they have access to unknown vulnerabilities in UEFI services.

By Ruik
November 24, 2021
November 24, 2021