Researchers from ESET who discovered the rootkit say this is the first time researchers successfully detected an actively exposed rootkit that exploits the UEFI or Unified Extensible Firmware Interface specification that defines a software interface between an operating system and platform firmware. By injecting itself this deeply into the computer, the attackers hope to achieve very strong persistence while remaining dormant and inconspicuous for long periods of time.
The Russian APT group Sednit (aka Fancy Bear and APT28) is strongly suspected to be the culprit behind the new rootkit malware program that can survive on an infected machine even if the operating system is reinstalled and the hard drive is replaced.
ESET researchers have tied the LoJax rootkit to Sednit because it shares command-and-control domains with the APT group’s SedUploader backdoor, and because systems targeted by LoJax “usually also showed signs” of not only SedUploader, but also Fancy Bear backdoor XAgent and network proxy tool Xtunnel.
Nicknamed LoJax, the UEFI rootkit has already been used to silently target government organizations in the Balkans, as well as Eastern and Central Europe, ESET has reported in both a blog post and a white paper that was presented today at an industry conference. A key component of the LoJax rootkit is a Trojan-infected version of Absolute Software’s LoJack security solution, giving it it’s nickname.
According to ESET, the attackers are using this trojanized program and combining it with a series of additional tools including RwDrv.sys, a kernel driver that can access UEFI/BIOS settings; a free utility that can read information on a computer’s low-level system settings; and a third tool that dumps said settings data into a text file.
“Since bypassing a platform’s protection against illegitimate firmware updates is highly platform-dependent, gathering information about a system’s platform is crucial,” ESET explains.
Another fabricated tool is designed to save a firmware image to a file “by reading the contents of the SPI flash memory where the UEFI/BIOS is located,” ESET continued. Yet another adds a malicious UEFI module to the firmware images and writes it back to the SPI flash memory, installing the UEFI rootkit on the system by abusing misconfigured platforms or by bypassing platform SPI flash memory write protections via an Intel BIOS vulnerability.
“The UEFI rootkit added to the firmware image has a single role: dropping the userland malware onto the Windows operating system partition and make sure that it is executed at startup,” ESET stated.
The company recommends that users protect themselves from this one of a kind UEFI rootkit threat by enabling Secure Boot, and use the most updated UEFI/BIOS and the most modern chipsets with the Platform Controller Hub.
