Sunday 16 March 2025
The world of computer security is a complex and ever-evolving landscape, where threats are constantly emerging and evolving to evade detection. One of the most insidious and difficult-to-detect types of malware is the UEFI bootkit, a type of malicious software that can compromise even the most secure systems.
UEFI bootkits operate at the firmware level, which means they can persist even after an operating system has been reinstalled or a disk replaced. They do this by exploiting vulnerabilities in the Unified Extensible Firmware Interface (UEFI), a standard for firmware that allows devices to communicate with each other and with the operating system.
Once installed, UEFI bootkits can hijack the boot process, allowing them to load malware into memory before the operating system has even booted up. This means that even if an antivirus program is running, it may not be able to detect the malware until it’s too late.
One of the most notable examples of a UEFI bootkit is MoonBounce, which was discovered by Kaspersky in 2021. This malware targets Windows systems and can persist even after an operating system has been reinstalled or a disk replaced. It does this by modifying the CORE_ DXE firmware component in SPI flash, allowing it to load malware into memory before the operating system boots up.
Another example is CosmicStrand, which was discovered by researchers at Kaspersky and Symantec. This malware targets ASUS and Gigabyte motherboards and can infect systems even if they have been previously cleaned of malware. It does this by setting hooks in the OS loader and Windows kernel, allowing it to communicate with a command-and-control server for payload delivery.
Glupteba is another example of a UEFI bootkit that has been discovered in recent years. This malware targets Windows systems and can implant a custom Windows Boot Manager and EfiGuard in the EFI System Partition (ESP) to disable PatchGuard and Driver Signature Enforcement (DSE). This allows it to persist even after an operating system has been reinstalled or a disk replaced.
The discovery of these UEFI bootkits highlights the need for robust security measures to protect against these types of threats. One way to do this is by implementing secure boot mechanisms, such as Trusted Boot, which ensures that the firmware and operating system are properly verified before they are loaded into memory.
Another important step is to keep software up-to-date with the latest patches and updates. This can help prevent vulnerabilities from being exploited by UEFI bootkits.
Cite this article: “UEFI Bootkits: A Growing Threat to Computer Security”, The Science Archive, 2025.
Uefi, Malware, Firmware, Bootkit, Antivirus, Operating System, Kaspersky, Cosmicstrand, Glupteba, Secure Boot
