Intelligence Reporting

Cybersecurity researchers have unveiled, the first-ever, UEFI (Unified Extensible Firmware Interface) rootkit being used.  It allows hackers to implant persistent malware on targeted computers that could endure a complete hard-drive wipe.  Titled LoJax, the UEFI rootkit is part of a malware campaign conducted by the Sednit group, also known as APT28, Fancy Bear, Strontium, and Sofacy, who have targeted government organizations in the Balkans as well as in Central and Eastern Europe.[1]  The Sednit group is a state-sponsored hacking group believed to be a unit of the Russian GRU (General Staff Main Intelligence Directorate).  The hacking group has been associated with a number of high-profile attacks, including the DNC hack during the US 2016 presidential election. 

UEFI is a replacement for the traditional BIOS (basic input/output system[2]) and is a core and critical firmware component of a computer, which links a computer's hardware and operating system at startup.  UEFI is typically not accessible to users.  The LoJax malware has the ability to write a malicious UEFI module into the system's SPI flash memory, allowing BIOS firmware to install and execute malware deep inside the computer disk during the boot process.  ESET researchers blogged this past week that this patching tool uses different techniques, either to abuse misconfigured platforms, or to bypass platform SPI flash memory write protections.  Since the LoJax rootkit resides in the compromised UEFI firmware and re-infects the system before the operating system even boots - reinstalling the operating system, formatting the hard disk, or even replacing the hard drive with a new one would not be sufficient to clean this infection.  The only way to remove this rootkit malware is by flashing the compromised firmware with legitimate software.  Unfortunately, this is not a simple task for most computer users.

LoJax was first observed last year and is a trojanized version of the legitimate LoJack laptop anti-theft software from Absolute Software.  LoJack installs its agent into the system's BIOS to endure an operating system re-installation or drive replacement and notifies the device owner of its location in case the laptop gets stolen.  With LoJax, hackers slightly modified the LoJack software to gain its ability to overwrite the UEFI module and changed the background process that communicates with Absolute Software's server to then report back to Fancy Bear's C2 servers.  Upon analyzing the LoJax sample, researchers found that the threat actors used a component called "ReWriter_binary" to rewrite vulnerable UEFI chips, replacing the vendor code with their malicious code.  "All the LoJax small agent samples we could recover, are trojanizing the exact same legitimate sample of the Computrace small agent rpcnetp.exe.  They all have the same compilation timestamp and only a few tens of bytes are different from the original one.  Besides the modifications to the configuration file, the other changes include timer values specifying the intervals between connections to the C2 server."

How to Protect Your Computer from Rootkits

There are no easy ways to automatically remove this threat from a system.  Since UEFI rootkit is not properly signed, users can protect themselves against LoJax infection by enabling the Secure Boot mechanism, which makes sure that each and every component loaded by the system firmware is properly signed with a valid certificate.

If you are already infected with such malware, the only way to remove the rootkit is to reflash the SPI flash memory with a clean firmware image, specific to the motherboard.  This is a very delicate process that must be performed manually and carefully.  Alternative to reflashing the UEFI/BIOS, you can replace the motherboard of the compromised system outright.  Researchers theorize that the LoJax campaign appears to be focused on high-value targets who are prime candidates for its deployment.  Such targets should always be on the lookout for signs of compromise.    

Other Sources:

https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf

For questions, comments or assistance regarding this report, please contact Wapack Labs at 603-606-1246, or feedback@wapacklabs.com

[1] https://thehackernews.com/2018/09/uefi-rootkit-malware.html

[2] BIOS is the program a personal computer's microprocessor uses to get the computer system started after you turn it on.

[3] https://www.wired.com/2015/07/hacking-team-breach-shows-global-spying-firm-run-amok/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance