APT Group Uses Dangerous LoJax Malware That Can Survive After OS Re-installation and Hard Disk Replacement

Security researchers from ESET found first ever APT28 group used UEFI rootkit in wild. The Sedint group behind several high profile attacks on several organizations and television networks around the world.

The UEFI rootkits are hard to detect and extremely dangerous, they persist even after operating system reinstallation and even a hard disk replacement. Threat actors behind LoJax malware imitate Computrace’s persistence method.

The Unified Extensible Firmware Interface(UEFI) is a replacement for BIOS that connects computer’s firmware to its operating system.

How LoJax Malware Works

The LoJack small agent was first identified by Arbor networks detected in May 2018, with this new campaign the LoJax Malware targeting different entities in the Balkans as well as Central and Eastern Europe, the distribution method is unknown.

Along with Lojax agent it to have some additional tool info_efi.exe, ReWriter_read.exe, and ReWriter_binary.exe which has an ability to read systems’ UEFI firmware.

RwDrv and info_efi.exe – Tools used to read computer low-level settings such as PCI Express, Memory, PCI Option ROMs, etc.

ReWriter_read.exe – To dump the system SPI flash memory.

ReWriter_binary.exe – contains the code to patch the dumped UEFI image and write the trojanized version back to the SPI flash memory

It is capable of overwriting system’s SPI flash and installs a malicious UEFI module on the system which is responsible for dropping the LoJax agent on the system. As the malware installed on the system’s firmware it can survive even after OS re-install and even after hardware replacement.

“LoJax’s best quality is to be stealthy and persistent, it could definitely be used to help ensure that access to key resources is maintained.”

How to Protect from UEFI rootkit

By enabling Secure Boot you can avoid such infection.

Make sure that you are using the latest available UEFI/BIOS available for your motherboard

If your system infected Flashing UEFI/BIOS or replacing the motherboard is the only solution.

The LoJax campaign shows that high-value targets are prime candidates for the deployment of rare, even unique threats and such targets should always be on the lookout for signs of compromise. researchers said.

ESET published a Whitepaper titled LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group, IoCs and samples can be found on GitHub.

Related Read

Dangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware Activities

Android Device With Open ADB Ports Exploited to Spread Satori Variant of Mirai Botnet

60,000 Android Devices are Infected with Malicious Battery Saver App that Steals Various Sensitive Data

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

2 days ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

4 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

4 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago