ESPecter

“ESPecter leverages several Windows APIs: VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.”

“DefaultConfig value in HKLM\SYSTEM\CurrentControlSet\Control registry… can be used… to store configuration.”

Secure Boot is designed to thwart UEFI bootkits, a form of malware that alters the Unified Extensible Firmware Interface, the successor to the BIOS, both of which begin the initial boot sequence. Because these bootkits load before the OS and most other code, they can be difficult to detect.

“ESET researchers have analyzed a previously undocumented, real-world UEFI bootkit that persists on the EFI System Partition (ESP)… Today, we describe our recent discovery of ESPecter… a UEFI bootkit persisting on the ESP in the form of a patched Windows Boot Manager…”

“ESPecter replaces the legitimate null.sys or beep.sys driver with its own malicious one in order to be executed on system startup.”

“Execution of both WinSys.dll and Client.dll libraries is achieved by injecting them into svchost.exe and winlogon.exe… NotifyRoutine hooks the entry point… responsible for loading and executing the appropriate payload DLL.”

“ESPecter replaces the legitimate null.sys or beep.sys driver with its own malicious one in order to be executed on system startup.”

“WinSys.dll is an MPRESS-packed DLL embedded in the driver’s binary in an encrypted form.”

“installers… copy cmd.exe to con1866.exe to evade detection.”

“Execution of both WinSys.dll and Client.dll libraries is achieved by injecting them into svchost.exe and winlogon.exe… NotifyRoutine hooks the entry point… responsible for loading and executing the appropriate payload DLL.”

“ESPecter uses single-byte XOR with subtraction to decrypt user-mode payloads… configuration… one-byte XOR key… Base64 decodes… XORs…”

“can be configured to postpone C&C communication after execution or to communicate… only in a specified time range.”

Secure Boot is designed to thwart UEFI bootkits, a form of malware that alters the Unified Extensible Firmware Interface, the successor to the BIOS, both of which begin the initial boot sequence. Because these bootkits load before the OS and most other code, they can be difficult to detect.

“ESET researchers have analyzed a previously undocumented, real-world UEFI bootkit that persists on the EFI System Partition (ESP)… Today, we describe our recent discovery of ESPecter… a UEFI bootkit persisting on the ESP in the form of a patched Windows Boot Manager…”

“Client.dll component creates hidden directories to store collected data.”

“Legacy Boot versions use unallocated disk space located right after the MBR to store its code, configuration and malicious driver… configuration… stays hidden in sector 5 of the compromised disk.”

“DefaultConfig value in HKLM\SYSTEM\CurrentControlSet\Control registry… can be used… to store configuration.”

“ESPecter patches Windows kernel function SepInitializeCodeIntegrity directly in memory to disable Driver Signature Enforcement (DSE).”

“it looks for byte patterns identifying the desired functions in memory and patches them accordingly… patching the BmFwVerifySelfIntegrity function… patches… OslArchTransferToKernel… disabling DSE by patching the SepInitializeCodeIntegrity kernel function.”

“Interception of keystrokes is done by setting up CompletionRoutine for IRP_MJ_READ requests for the keyboard driver object \Device\KeyboardClass0… Client… register its logging function by sending IOCTL 0x22C004.”

“reports foreground window names along with keylogger information to provide application context.”

“check for installed software under… HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall.”

“Client.dll component can list running processes and their loaded modules.”

“Upload various system info (CPU name, OS version, memory size, ethernet MAC address, list of installed software, etc.).”

“Client.dll component can list file information for specific directories.”

“detects the insertion of new devices by listening for the WM_DEVICECHANGE window message.”

“WinSys.dll component can use GetLocalTime for time discovery.”

“can be configured to postpone C&C communication after execution or to communicate… only in a specified time range.”

“can collect files with specified extension from removable drives.”

“Interception of keystrokes is done by setting up CompletionRoutine for IRP_MJ_READ requests for the keyboard driver object \Device\KeyboardClass0… Client… register its logging function by sending IOCTL 0x22C004.”

“collected data is stored in a hidden directory, with separate subdirectories for each data source.”

“monitoring of the victim’s screen by periodically taking screenshots.”

“automatic data exfiltration capabilities including document stealing, keylogging, and… screenshots… stored in a hidden directory.”

“WinSys.dll communicates with its C&C using HTTPS… https://<ip>/Heart.aspx?…”

“For communication with the C&C, it uses the TCP protocol…”

“user-mode components use separate C&C channels.”

“download and run additional malware… WinSys… Download or download and execute file… Client… ability to download and execute additional payloads.”

“uses the TCP protocol with single-byte XOR encryption… key… 0x66… watermark/tag… WBKP…”

“creates a thread to automatically upload collected data to the C&C.”

“set to upload collected data to the C&C every five seconds.”

“exfiltrates data over the same channel used for C&C.”

“This allows ESPecter to bypass Windows Driver Signature Enforcement (DSE) in order to execute its own unsigned driver at system startup… disabling DSE by patching the SepInitializeCodeIntegrity kernel function.”