The first ever UEFI rootkit has been detected in the wild. As discovered by ESET security researchers, the Sednit APT group was behind the latest campaign that successfully installed a malicious UEFI rootkit dubbed LoJax on a victim system.
ESET found at least one instance of a malicious attacker writing the malicious UEFI module into a system’s SPI flash memory.
Sednit, also known as APT28, STRONTIUM, Sofacy and Fancy Bear, has been using different LoJax components to target victims in the Balkans, as well as in Central and Eastern Europe.
Unified Extensible Firmware Interface (UEFI) has replaced traditional BIOS on PCs. UEFI is a specification that defines a software interface between an operating system and system firmware.
“This module is able to drop and execute malware on disk during the boot process. This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user,” ESET wrote in the blog post.
Researchers further added the LoJax campaign used multiple tools to access and patch UEFI/BIOS settings:
“All used a kernel driver, RwDrv.sys, to access the UEFI/BIOS settings. This kernel driver is bundled with RWEverything, a free utility available on the web that can be used to read information on almost all of a computer’s low-level settings, including PCI Express, Memory, PCI Option ROMs, etc. As this kernel driver belongs to legitimate software, it is signed with a valid code-signing certificate.”
How to protect from LoJax?
To help protect systems from Sednit’s unsigned UEFI rootkit, ESET recommends enabling Secure Boot.
Secure Boot is the “base defense against attacks targeting UEFI firmware” and checks to make sure every firmware component that is loaded by the firmware is properly signed. This helps ensure the integrity of the firmware.
Also, see more details in the ESET research paper ‘LOJAX: First UEFI rootkit found in the wild, courtesy of the Sednit group’ here.