The Gospel Truth of LoJax: Researchers Come Across A UEFI Rootkit in The Wild

Security researchers at ESET have reported the discovery of the first Unified Extensible Firmware Interface (UEFI) rootkit in the wild, called LoJax, courtesy Russian APT group Sednit also known as APT28 and FancyBear.

The Gospel Truth of LoJax Researchers Come Across A UEFI Rootkit in The Wild
Beware of LoJax!

What is a Malware?

A malware is primarily used to turn a computer into a bot, which can be further used to execute automated tasks over the internet without the owner coming to know ever. These bots are often used to infect many systems, therefore forming a botnet. They can be used for many purposes like distributing spam, attacking servers, and spreading malware. For instance, a Cutwail botnet that is used to distribute financial malware such as Gameover and Zeus.

However, for the recent new rootkit malware program, the Russian APT group Sednit that is also known as APT28 and Fancy Bear is strongly suspected to be the actual malefactor. This rootkit malware can outlast on an infected machine no matter if the hard drive is replaced or operating system is reinstalled.

The researchers who exposed the rootkit explained that it is the first time that researchers have triumphantly discovered a UEFI rootkit that manipulates the Unified Extensible Firmware Interface requirement defining a software interface between a platform firmware and an operating system. The attackers aim to achieve very strong endurance by pervading this deep into the computer and remaining unseen for long periods of time.

In a blog post and a white paper that was presented recently at an industrial conference, ESET has reported that this rootkit known as LoJax has already used silently to target government organizations in Central Europe, as well as Eastern Europe and the Balkans.

The chief component of the LoJax rootkit is a trojanized version of Absolute Software’s LoJack security solution as reported previously. The malware is pre-installed into the firmware of many computers and laptops under the guise of BIOS/UEFI module that is used to track down the stolen or lost computers. LoJax is the evil twin of LoJack, but instead of contacting Absolute Software’s server it has been re-coded to contact a malicious command-and-control server.

As per ESET, in conjunction with a series of additional tools including RwDrv.sys, attackers are using this trojanized program to access UEFI/BIOS settings, to read the computer’s low-level system settings, and to dump that settings data into a text file.

ESET said in a blog, “Since bypassing a platform’s protection against illegitimate firmware updates is highly platform-dependent, gathering information about a system’s platform is crucial.”

ESET continued, “Another designed tool is designed to save a firmware image to a file by reading the contents of the SPI flash memory where the UEFI/BIOS is located. The UEFI rootkit added to the firmware image has a single role: dropping the userland malware onto the Windows operating system partition and make sure that it is executed at startup”

The researchers have linked the LoJax rootkit to Sednit confidently because it imparts its command-and-control domains with the APT group’s SedUploader exit and also with network proxy tool Xtunnel and Fancy Bear backdoor XAgent as the systems targeted by LoJax also showed the signs of these malwares.

How to safeguard yourself?

The company suggests the users that by enabling Secure Boot and using the most updated UEFI/BIOS with the most modern and secure chipsets along with Platform Controller Hub, they can protect themselves.