Friday, March 29, 2024

APT Group Uses Dangerous LoJax Malware That Can Survive After OS Re-installation and Hard Disk Replacement

Security researchers from ESET found first ever APT28 group used UEFI rootkit in wild. The Sedint group behind several high profile attacks on several organizations and television networks around the world.

The UEFI rootkits are hard to detect and extremely dangerous, they persist even after operating system reinstallation and even a hard disk replacement. Threat actors behind LoJax malware imitate Computrace’s persistence method.

The Unified Extensible Firmware Interface(UEFI) is a replacement for BIOS that connects computer’s firmware to its operating system.

How LoJax Malware Works

The LoJack small agent was first identified by Arbor networks detected in May 2018, with this new campaign the LoJax Malware targeting different entities in the Balkans as well as Central and Eastern Europe, the distribution method is unknown.

Along with Lojax agent it to have some additional tool info_efi.exe, ReWriter_read.exe, and ReWriter_binary.exe which has an ability to read systems’ UEFI firmware.

RwDrv and info_efi.exe – Tools used to read computer low-level settings such as PCI Express, Memory, PCI Option ROMs, etc.

LoJax Malware

ReWriter_read.exe – To dump the system SPI flash memory.

ReWriter_binary.exe – contains the code to patch the dumped UEFI image and write the trojanized version back to the SPI flash memory

It is capable of overwriting system’s SPI flash and installs a malicious UEFI module on the system which is responsible for dropping the LoJax agent on the system. As the malware installed on the system’s firmware it can survive even after OS re-install and even after hardware replacement.

LoJax Malware

“LoJax’s best quality is to be stealthy and persistent, it could definitely be used to help ensure that access to key resources is maintained.”

How to Protect from UEFI rootkit

By enabling Secure Boot you can avoid such infection.

Make sure that you are using the latest available UEFI/BIOS available for your motherboard

If your system infected Flashing UEFI/BIOS or replacing the motherboard is the only solution.

The LoJax campaign shows that high-value targets are prime candidates for the deployment of rare, even unique threats and such targets should always be on the lookout for signs of compromise. researchers said.

ESET published a Whitepaper titled LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group, IoCs and samples can be found on GitHub.

Related Read

Dangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware Activities

Android Device With Open ADB Ports Exploited to Spread Satori Variant of Mirai Botnet

60,000 Android Devices are Infected with Malicious Battery Saver App that Steals Various Sensitive Data

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles