LoJax UEFI Rootkit Used in Cyberespionage
Security researchers from ESET came across a Unified Extensible Firmware Interface (UEFI) rootkit in the wild being used for cyberespionage. Named LoJax (detected by Trend Micro as BKDR_FALOJAK.USOMON and Backdoor.Win32.FALOJAK.AA) after the legitimate anti-theft software LoJack, the rootkit is reportedly packaged with other tools that modify the system’s firmware to infect it with malware.
ESET said that the campaign delivering LoJax targeted organizations in the Balkans as well as countries in Central and Eastern Europe.
LoJax is designed to drop malware onto the system and ensure it is executed when the computer starts up. LoJax affects UEFI, which provides an interface for the system’s operating system (OS) to connect with the firmware. As such, LoJax can persist in the UEFI even if the system’s OS is reinstalled or its hard drives replaced.
[READ: A proof-of-concept exploiting a vulnerability in Mac OS X shows show UEFI attacks on Mac are possible]
The domains in the LoJax samples the researchers analyzed were used for command-and-control (C&C) communication for the Sednit backdoor, which is used for cyberespionage.
[PRIMER: Protecting the Network Against Targeted Attacks]
LoJax isn’t the first UEFI rootkit in the wild. In fact, in 2015, the Hacking Team group used a UEFI/ basic input/output system (BIOS) rootkit to keep their malware tool (Remote Control System) installed in their targets’ systems.
And similar to Hacking Team’s UEFI/BIOS rootkit, LoJax involves various tools that entail accessing and modifying the computer’s UEFI or BIOS settings. These tools have these functions:
- Gather and dump system settings into a text file.
- Read the contents of the computer’s Serial Peripheral Interface (SPI) memory where the UEFI/BIOS is, then save it into a file (as a firmware image).
- Install the rootkit by embedding a malicious UEFI module into the saved image, then write the modified firmware back to the SPI flash memory.
The researchers also reported that an old vulnerability (CVE-2014-8273) is exploited instead if writing to SPI flash memory is disabled.
[Trend Micro 2018 Midyear Security Roundup: Serious vulnerabilities discovered in hardware make patching even more challenging]
Completely removing LoJax in the UEFI involves reflashing the SPI flash memory, which entails technical know-how (i.e., ensuring compatibility in the firmware and motherboard).
On the other hand, users can defend against LoJax by enabling Secure Boot, a security mechanism that helps ensure that a system is booted using software validly signed by original equipment manufacturers. Secure Boot, which detects and blocks tampered loaders, OS files, and other software, is shipped on most modern PCs (Windows 8 and later OSs). Since LoJax does not have a valid digital signature, Secure Boot can thwart it. Microsoft also has guidelines on configuring Secure Boot.
Organizations should also follow security best practices: Keep the endpoints and firmware patched and up to date; apply the principle of least privilege; and enforce defense in depth through security mechanisms that can thwart threats — from endpoints, networks, servers, and gateways.
Trend Micro Solutions
The Trend Micro™ Deep Discovery™ solution provides detection, in-depth analysis, and proactive response to today’s stealthy malware and targeted attacks in real time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack life cycle, allowing it to detect threats even without any engine or pattern update. Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions can protect users and businesses from threats by detecting malicious files and blocking all related malicious URLs.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.