With modern computers now running on UEFI boot technology, the 10-year-old code was updated but without addressing Secure Boot safeguards.

A previously undocumented real-world UEFI bootkit that persists on the EFI System Partition (ESP) has been discovered by cyber researchers.

The bootkit (an advanced form of rootkit) can bypass Windows Driver Signature Enforcement to load its own unsigned driver, thereby facilitating espionage activities. It is the second UEFI specimen persisting on the ESP and shows how real-world UEFI threats are no longer limited to SPI flash implants as used by Lojax, which was discovered by ESET in 2018.

The current bootkit was also discovered by ESET, which has named it ESPecter. The bootkit was discovered on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities, which is why ESET believes ESPecter is mainly used for espionage.

ESPector’s roots can apparently be traced back to at least 2012: it was previously operating as a bootkit for systems with legacy BIOSes. Despite ESPecter’s long lineage, its operations and upgrade to the UEFI platform had gone unnoticed and undocumented until now, according to the researchers.

What is interesting is that the malware’s components have barely changed over all these years, and the differences between the 2012 and 2020 versions are not as significant as one would expect. After all the years of insignificant changes in system booting technology, the threat actors behind ESPecter apparently decided just moved their malware from legacy BIOS systems to modern UEFI systems.

Once ESPector has been executed at boot, its payload is a backdoor that supports a rich set of commands for various automatic data exfiltration capabilities, including document stealing, keylogging, and monitoring of the victim’s screen by periodically taking screenshots. All of the collected data is stored in a hidden directory.

Existing security mechanisms like UEFI Secure Boot, if enabled and configured correctly, can stop bootkits such as ESPecter.