APT Group Uses Dangerous LoJax Malware That Can Survive After OS Re-installation and Hard Disk Replacement

Security researchers from ESET found first ever APT28 group used UEFI rootkit in wild. The Sedint group behind several high profile attacks on several organizations and television networks around the world.

The UEFI rootkits are hard to detect and extremely dangerous, they persist even after operating system reinstallation and even a hard disk replacement. Threat actors behind LoJax malware imitate Computrace’s persistence method.

The Unified Extensible Firmware Interface(UEFI) is a replacement for BIOS that connects computer’s firmware to its operating system.

How LoJax Malware Works

The LoJack small agent was first identified by Arbor networks detected in May 2018, with this new campaign the LoJax Malware targeting different entities in the Balkans as well as Central and Eastern Europe, the distribution method is unknown.

Along with Lojax agent it to have some additional tool info_efi.exe, ReWriter_read.exe, and ReWriter_binary.exe which has an ability to read systems’ UEFI firmware.

RwDrv and info_efi.exe – Tools used to read computer low-level settings such as PCI Express, Memory, PCI Option ROMs, etc.

ReWriter_read.exe – To dump the system SPI flash memory.

ReWriter_binary.exe – contains the code to patch the dumped UEFI image and write the trojanized version back to the SPI flash memory

It is capable of overwriting system’s SPI flash and installs a malicious UEFI module on the system which is responsible for dropping the LoJax agent on the system. As the malware installed on the system’s firmware it can survive even after OS re-install and even after hardware replacement.

“LoJax’s best quality is to be stealthy and persistent, it could definitely be used to help ensure that access to key resources is maintained.”

How to Protect from UEFI rootkit

By enabling Secure Boot you can avoid such infection.

Make sure that you are using the latest available UEFI/BIOS available for your motherboard

If your system infected Flashing UEFI/BIOS or replacing the motherboard is the only solution.

The LoJax campaign shows that high-value targets are prime candidates for the deployment of rare, even unique threats and such targets should always be on the lookout for signs of compromise. researchers said.

ESET published a Whitepaper titled LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group, IoCs and samples can be found on GitHub.

Related Read

Dangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware Activities

Android Device With Open ADB Ports Exploited to Spread Satori Variant of Mirai Botnet

60,000 Android Devices are Infected with Malicious Battery Saver App that Steals Various Sensitive Data

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

12 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

12 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

15 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

18 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

19 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

19 hours ago