Experts at SCS have disclosed what they claim to be the first-ever UEFI rootkit being employed within the wild, permitting hackers to implant persistent malware on the targeted computers that would survive a whole hard-drive wipe.
Dubbed LoJax, the UEFI rootkit is an element of a malware campaign, additionally referred to as APT28, Fancy Bear, Strontium, and Sofacy, to focus on many government organizations in India.
UEFI, or Unified extensible firmware Interface, a replacement for the standard BIOS, may be a core and significant firmware element of a pc, that links a computer’s hardware and software at startup and is often not accessible to users.
How Does LoJax UEFI Rootkit Work?
According to the SCS specialists, the LoJax malware has the power to write down a malicious UEFI module into the system’s SPI flash memory, permitting BIOS firmware to put in and execute malware deep within the pc disk throughout the boot method.
Since LoJax rootkit resides within the compromised UEFI firmware and re-infects the system before the OS even boots, reinstalling the package, format the hard disk, or maybe exchange the hard drive with a brand new one wouldn’t be decent to wash the infection.
Flashing the compromised firmware with legitimate code is that the solely thanks to take away such rootkit malware, which usually isn’t an easy task for many pc users.
First noticed in early 2017, LoJax could be a trojaned version of a well-liked legitimate LoJack laptop computer anti-theft code from Absolute code, that installs its agent into the system’s BIOS to survive OS re-installation or drive replacement and notifies device owner of its location just in case the laptop computer gets stolen.
According to specialists, the hackers slightly changed the LoJack code to realize its ability to write UEFI module and adjusted the background method that communicates with Absolute Software’s server to report back to Fancy Bear’s C&C servers.
Upon analyzing the LoJax sample, researchers found that the threat actors used a part known as “ReWriter_binary” to rewrite vulnerable UEFI chips, exchange the seller code with their malicious one.
LoJax isn’t the primary code to cover within the UEFI chip, because the 2015 Hacking Team leak discovered that the ill-famed spyware manufacturer offered UEFI persistence with one in every of its product.
However, according to SCS, the LoJax rootkit installation uncovered by its researchers is that the 1st ever recorded case of a UEFI rootkit active within the wild.
How to Protect Your Computer From Rootkits
As SCS researchers said, there aren’t any simple ways that to automatically take away this threat from a system.
Since UEFI rootkit isn’t properly signed, users will defend themselves against LoJax infection by enabling the Secure Boot mechanism, that makes certain that every and each part loaded by the system firmware is correctly signed with a valid certificate.
If you’re already infected with such malware, the sole way to take away the rootkit is to reflash the SPI flash memory with a clean computer code image specific to the motherboard, that could be a terribly delicate method that has got to be performed manually and punctiliously.
Alternative to reflashing the UEFI/BIOS, you’ll be able to replace the motherboard of the compromised system outright.