Security News > 2021 > October > New UEFI bootkit used to backdoor Windows devices since 2012
A newly discovered and previously undocumented UEFI bootkit has been used by attackers to backdoor Windows systems by hijacking the Windows Boot Manager since 2012.
Bootkits are malicious code planted in the firmware invisible to security software that runs within the operating system since the malware is designed to load before everything else, in the initial stage of the booting sequence.
Patching the Windows Boot Manager requires for Secure Boot to be disabled.
As the researchers discovered, attackers have deployed the bootkit in the wild, which means they've found a method to toggle off Secure Boot on targeted devices.
Exploiting an unknown UEFI firmware vulnerability that allows disabling Secure Boot.
Publicly documented attacks using bootkits in the wild are extremely rare - the FinSpy bootkit used to load spyware, Lojax deployed by the Russian-backed APT28 hacker group, MosaicRegressor used by Chinese-speaking hackers, and the TrickBoot module used by the TrickBot gang.