ESPecter is a bootkit that is installed into the system by compromising the Windows Boot Manager. ESET analysts claim that this is the second bootkit in history that uses ESP as an entry point.
According to the research of specialists, ESPecter was created back in 2012. Then the malware was used exclusively for attacks on systems with BIOS. Only in 2020, developers rewrote the bootkit for attacks on UEFI. Comparing the versions with each other, ESET researchers noticed an interesting feature – for 8 years, the malware components have hardly changed.
In the podcast, experts discussed how to install a bootkit into the system. According to experts, after starting the installation process, the initial components of ESPecter modify the Windows Boot Manager component and bypass the Windows Driver Signature Enforcement (DSE) in order to load and run an unsigned malicious driver — the actual payload of the ESPecter bootkit. This driver contains two components — WinSys.dll and Client.dll which attackers use to search for confidential files on the local system, periodically create screenshots and launch a keylogger.
At the end of the podcast, experts gave recommendations on protection against bootkits. Here is a short list of them:
Always use the latest firmware version;
Do not disable Secure Boot mode;
Keep an eye on the system settings.