Security researchers have discovered the first ever UEFI rootkit named LoJax in the wild used by threat actor group Sednit. UEFI (Unified Extensible Firmware Interface) rootkit is a malicious piece of malware which are hard to detect and is capable overcoming security measures such as operating system reinstallation and hard disk replacement. According to ESET security researchers, UEFI rootkit was seen in a campaign targeting few government organisations in the Balkans as well as in Central and Eastern Europe by Sednit APT group. “Some UEFI rootkits have been presented as proofs of concept; some are known to be at the disposal of (at least some) governmental agencies. However, no UEFI rootkit has ever been detected in the wild – until we discovered a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a victim’s system.” said in the analysis published by ESET researchers. Researchers said that they discovered various tools which are able to access and patch UEFI/BIOS settings on the systems targeted in this campaign.
Working LoJax UEFI rootkit
In this campaign, Three different types of tools were discovered on the targeted system. The first one is used for collecting information about the system firmware and the second one save an image of the system firmware to a file by reading the contents of the SPI flash memory where the UEFI/BIOS is located. The third tool installs the UEFI rootkit on the victim system by injecting a malicious UEFI module to the firmware image and write it back to the SPI flash memory.
“This patching tool uses different techniques either to abuse misconfigured platforms or to bypass platform SPI flash memory write protections.” If the platform does not allow write operations to the SPI flash memory, the attackers will exploit a known vulnerability to execute the process. After adding the UEFI rootkit to the firmware image, it will download the malware into the Windows operating system and make sure it is executed at the startup. How to prevent yourself against LoJax UEFI rootkit
Since Sednit’s UEFI rootkit is not properly signed, you can protect yourself from LoJax UEFI rootkit by enabling the Secure Boot mechanism which checks whether each and every component that is loaded by the firmware is properly signed or not. Make sure that your motherboard firmware is updated with the latest version available. In case if you are infected with the UEFI rootkit the only way to remove it is by reflashing the SPI flash memory with a clean image specific to the motherboard. This is a process which should be done manually. Another way is by replacing your motherboard of the infected system with a new one. For more details regarding LoJax UEFI rootkit, you can read the analysis by ESET researchers here. “The discovery of the first in-the-wild UEFI rootkit is notable for two reasons. First, it shows that UEFI rootkits are a real threat and not merely an attractive conference topic. And second, it serves as a heads-up, especially to all those who might be in the crosshairs of Sednit. This APT group, also known as APT28, STRONTIUM, Sofacy and Fancy Bear, maybe even more dangerous than previously thought.” For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin and Twitter.You may be interested in reading:New Adwind RAT Campaign Targets Windows, Linux and Mac Users