Security researchers from ESET found first ever APT28 group used UEFI rootkit in wild. The Sedint group behind several high profile attacks on several organizations and television networks around the world.
The UEFI rootkits are hard to detect and extremely dangerous, they persist even after operating system reinstallation and even a hard disk replacement. Threat actors behind LoJax malware imitate Computrace’s persistence method.
The Unified Extensible Firmware Interface(UEFI) is a replacement for BIOS that connects computer’s firmware to its operating system.
How LoJax Malware Works
The LoJack small agent was first identified by Arbor networks detected in May 2018, with this new campaign the LoJax Malware targeting different entities in the Balkans as well as Central and Eastern Europe, the distribution method is unknown.
Along with Lojax agent it to have some additional tool info_efi.exe, ReWriter_read.exe, and ReWriter_binary.exe which has an ability to read systems’ UEFI firmware.
RwDrv and info_efi.exe – Tools used to read computer low-level settings such as PCI Express, Memory, PCI Option ROMs, etc.
ReWriter_read.exe – To dump the system SPI flash memory.
ReWriter_binary.exe – contains the code to patch the dumped UEFI image and write the trojanized version back to the SPI flash memory
It is capable of overwriting system’s SPI flash and installs a malicious UEFI module on the system which is responsible for dropping the LoJax agent on the system. As the malware installed on the system’s firmware it can survive even after OS re-install and even after hardware replacement.
“LoJax’s best quality is to be stealthy and persistent, it could definitely be used to help ensure that access to key resources is maintained.”
How to Protect from UEFI rootkit
By enabling Secure Boot you can avoid such infection.
Make sure that you are using the latest available UEFI/BIOS available for your motherboard
If your system infected Flashing UEFI/BIOS or replacing the motherboard is the only solution.
The LoJax campaign shows that high-value targets are prime candidates for the deployment of rare, even unique threats and such targets should always be on the lookout for signs of compromise. researchers said.
ESET published a Whitepaper titled LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group, IoCs and samples can be found on GitHub.