Dubbed LoJax, the UEFI rootkit is part of a malware crusade conducted yesteryear the infamous Sednit group, also known equally APT28, Fancy Bear, Strontium, in addition to Sofacy, to target several regime organizations inwards the Balkans equally good equally inwards Central in addition to Eastern Europe.
Operating since at to the lowest degree 2007, Sednit group is a state-sponsored hacking grouping believed to live a unit of measurement of GRU (General Staff Main Intelligence Directorate), a Russian clandestine armed services news agency. The hacking grouping has been associated amongst a issue of high profile attacks, including the DNC hack but earlier the U.S. 2016 presidential election.
UEFI, or Unified Extensible Firmware Interface, a replacement for the traditional BIOS, is a heart in addition to critical firmware cistron of a computer, which links a computer's hardware in addition to operating scheme at startup in addition to is typically non accessible to users.
How Does LoJax UEFI Rootkit Work?
According to the ESET researchers, the LoJax malware has the mightiness to write a malicious UEFI module into the system's SPI flash memory, allowing BIOS firmware to install in addition to execute malware deep within the estimator disk during the boot process.
"This patching tool uses dissimilar techniques either to abuse misconfigured platforms or to bypass platform SPI flash retention write protections," ESET researchers said inwards a Hacking Team leak revealed that the infamous spyware manufacturer offered UEFI persistence amongst ane of its products.
Also, ane of the CIA documents leaked yesteryear Wikileaks final twelvemonth gave a clear insight into the techniques used yesteryear the way to gain 'persistence' on Apple Mac devices, including Macs in addition to iPhones, demonstrating their role of EFI/UEFI in addition to firmware malware.
However, according to ESET, the LoJax rootkit installation uncovered yesteryear its researchers is the kickoff ever recorded illustration of a UEFI rootkit active inwards the wild.
How to Protect Your Computer From Rootkits
As ESET researchers said, at that topographic point are no slow ways to automatically take away this threat from a system.
Since UEFI rootkit is non properly signed, users tin protect themselves against LoJax infection yesteryear enabling the Secure Boot mechanism, which makes certain that each in addition to every cistron loaded yesteryear the scheme firmware is properly signed amongst a valid certificate.
If you lot are already infected amongst such malware, the alone way to take away the rootkit is to reflash the SPI flash retention amongst a build clean firmware icon specific to the motherboard, which is a real frail procedure that must live performed manually in addition to carefully.
Alternative to reflashing the UEFI/BIOS, you lot tin supersede the motherboard of the compromised scheme outright.
"The LoJax crusade shows that high-value targets are prime number candidates for the deployment of rare, fifty-fifty unique threats. Such targets should ever live on the ticker for signs of compromise," researchers wrote.For to a greater extent than in-depth details most the LoJax root, you lot tin caput onto a white newspaper [PDF], titled the "LoJax: First UEFI rootkit establish inwards the wild, courtesy of the Sednit group," published on Th yesteryear ESET researchers.
