The UEFI malware and rootkits have been a talking point in the cybersecurity field ever since this new technology was introduced to motherboards a couple of years ago. Nowadays, it is rare to see a motherboard, which does not pack UEFI firmware instead of the typical, simple, and limited BIOS. Thanks to the UEFI’s enhanced set of features, computers can have network connectivity before loading up an OS, and the user is provided with a broad range of low-level configuration options that take the place of the rather basic BIOS options that were available before. While all of this is great, it has made it possible for cybercriminals like the ones from the APT (Advanced Persistent Threat) group Fancy Bear (also known as APT28) to develop a unique piece of the UEFI rootkit malware, which goes by the name Lojax.
While rootkit malware that targets the UEFI firmware has been the focus of many discussions, the Fancy Bear project dubbed ‘LoJax’ is the first case in which a threat of this sort was spotted in the wild.
The LoJax is a modified version of LoJack, a legitimate project whose purpose is to serve as an anti-theft system, which works as a module for BIOS/UEFI. By doing so, it is able to persist on the computer/laptop even if the hard disk is changed or the operating system is reinstalled. However, the Fancy Bear crew seems to have modified this project in a threatening manner by enabling it to communicate with a Command & Control server operated by them. This means that this hacking group is in possession of a rootkit, which can’t be removed by reinstalling the OS or even replacing the hard drive. Another advantage of using such a sophisticated infection vector is that the attackers can operate with the LoJax module even before the victim’s operating system has loaded. Security researchers have identified several modules that seem to accompany LoJax – their purpose is to collect information about the system settings, therefore providing attackers with valuable information regarding potential infection vectors they might be able to exploit.
Naturally, the targets of Fancy Bear are not regular users, and the LoJax rootkit is likely to be used to target very high-profile people. It is essential to add that while the LoJax is innovative, it is quite limited regarding functionality since it is only compatible with older chipsets. Furthermore, it does not use a valid certificate so that enabling the ‘Secure Boot’ feature should be enough to prevent the LoJax rootkit from working.
[template:aliases][template:removal][template:technical_title][template:files][template:registry][template:additional]
