Monday, June 17, 2024

APT Group Uses Dangerous LoJax Malware That Can Survive After OS Re-installation and Hard Disk Replacement

Security researchers from ESET found first ever APT28 group used UEFI rootkit in wild. The Sedint group behind several high profile attacks on several organizations and television networks around the world.

The UEFI rootkits are hard to detect and extremely dangerous, they persist even after operating system reinstallation and even a hard disk replacement. Threat actors behind LoJax malware imitate Computrace’s persistence method.

The Unified Extensible Firmware Interface(UEFI) is a replacement for BIOS that connects computer’s firmware to its operating system.

How LoJax Malware Works

The LoJack small agent was first identified by Arbor networks detected in May 2018, with this new campaign the LoJax Malware targeting different entities in the Balkans as well as Central and Eastern Europe, the distribution method is unknown.

Along with Lojax agent it to have some additional tool info_efi.exe, ReWriter_read.exe, and ReWriter_binary.exe which has an ability to read systems’ UEFI firmware.

RwDrv and info_efi.exe – Tools used to read computer low-level settings such as PCI Express, Memory, PCI Option ROMs, etc.

LoJax Malware

ReWriter_read.exe – To dump the system SPI flash memory.

ReWriter_binary.exe – contains the code to patch the dumped UEFI image and write the trojanized version back to the SPI flash memory

It is capable of overwriting system’s SPI flash and installs a malicious UEFI module on the system which is responsible for dropping the LoJax agent on the system. As the malware installed on the system’s firmware it can survive even after OS re-install and even after hardware replacement.

LoJax Malware

“LoJax’s best quality is to be stealthy and persistent, it could definitely be used to help ensure that access to key resources is maintained.”

How to Protect from UEFI rootkit

By enabling Secure Boot you can avoid such infection.

Make sure that you are using the latest available UEFI/BIOS available for your motherboard

If your system infected Flashing UEFI/BIOS or replacing the motherboard is the only solution.

The LoJax campaign shows that high-value targets are prime candidates for the deployment of rare, even unique threats and such targets should always be on the lookout for signs of compromise. researchers said.

ESET published a Whitepaper titled LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group, IoCs and samples can be found on GitHub.

Related Read

Dangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware Activities

Android Device With Open ADB Ports Exploited to Spread Satori Variant of Mirai Botnet

60,000 Android Devices are Infected with Malicious Battery Saver App that Steals Various Sensitive Data


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles