ESET discovered a UEFI bootkit they call “ESPecter” which is so named because it targets the EFI System Partition (ESP). Instead of targeting the UEFI firmware image itself (located in SPI flash on the motherboard) as some other firmware exploits do, ESPecter targets the bootloader which is located on the hard drive. Once ESPecter finds its way onto a PC, it begins its UEFI infection by modifying a legitimate Windows Boot Manager binary. This binary (bootmgfw.efi) is located on the ESP.
ESPecter’s origins stretch back to at least 2012, and it is mainly used for cyber-espionage such as document stealing, keylogging and monitoring of the victim’s screen by periodically taking screenshots.
