ESET cybersecurity researchers have reported the emergence of what they are calling the first UEFI rootkit actively utilized in the field. This advanced malware permits attackers to embed persistent malicious software within targeted devices, enabling it to withstand complete hard-drive formatting, which poses significant implications for affected organizations.
The malware, identified as LoJax, is linked to the notorious Sednit group—also recognized as APT28, Fancy Bear, and Strontium. This group has been implicated in various attacks against governmental entities, particularly in the Balkans and Central and Eastern Europe. Operating since at least 2007 and believed to be a unit of the Russian military intelligence agency GRU, the Sednit group is known for high-profile cyber intrusions, including the hack of the Democratic National Committee (DNC) prior to the 2016 U.S. presidential election.
The UEFI—Unified Extensible Firmware Interface—serves as the vital firmware layer that connects a computer’s hardware with its operating system during startup. Unlike traditional BIOS, UEFI offers a more sophisticated environment, but is typically beyond the reach of everyday users.
LoJax operates by introducing a malicious UEFI module into the system’s SPI flash memory. This allows hackers to execute the malware at a deep level during the boot process—before the operating system starts. ESET’s research highlights that the malware employs various techniques to exploit misconfigured platforms or to circumvent the protections associated with SPI flash memory. Since the LoJax rootkit resides within the compromised firmware, conventional remediation methods such as OS reinstallation or hard drive replacement fail to eradicate it. The only effective countermeasure identified thus far is reflashing the firmware with a clean version, a process that is complex and could overwhelm a typical user.
First detected in early 2017, LoJax represents a trojanized variant of legitimate LoJack anti-theft software. Originally intended to report stolen devices to their owners, the malware has been modified to overwrite the UEFI module and redirect communications intended for Absolute Software towards the Sednit group’s command and control servers. In analyzing the sample, researchers found that a component termed “ReWriter_binary” was employed to substitute the legitimate vendor code with malicious content.
Previously, there have been instances of code residing in the UEFI chip, such as capabilities revealed by the Hacking Team leak in 2015 and techniques described in CIA documents released by Wikileaks. However, the security landscape has not previously recorded an active UEFI rootkit in the wild like LoJax.
In terms of protective measures, enabling Secure Boot is advised as it ensures that only verified software is loaded during the boot process, thereby potentially thwarting LoJax infections. Organizations facing existing compromises would need to undertake the intricate task of reflashing the firmware or, alternatively, opting for complete motherboard replacements in compromised systems.
The findings surrounding LoJax underscore the evolving landscape of cyber threats, particularly for high-value targets vulnerable to sophisticated, tailored attacks. As such, continuous vigilance for signs of compromise is essential for organizations aiming to fortify their cybersecurity posture against emergent and unique threats. For an in-depth exploration of LoJax, researchers have published a detailed white paper, titled “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group.”
In conclusion, as cyber threats become increasingly intricate, understanding the tactics described in the MITRE ATT&CK framework—such as initial access and persistence—will prove critical for businesses aiming to safeguard their digital infrastructures against advanced persistent threats like those posed by the LoJax rootkit.
