Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: ESET discovers first LoJax UEFI rootkit malware by Sednit group

27 Sep 2018   #1

64-bit Windows 10 Pro
ESET discovers first LoJax UEFI rootkit malware by Sednit group

UEFI rootkits are widely viewed as extremely dangerous tools for implementing cyberattacks, as they are hard to detect and able to survive security measures such as operating system reinstallation and even a hard disk replacement. Some UEFI rootkits have been presented as proofs of concept; some are known to be at the disposal of (at least some) governmental agencies. However, no UEFI rootkit has ever been detected in the wild – until we discovered a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a victim’s system.

The discovery of the first in-the-wild UEFI rootkit is notable for two reasons.

First, it shows that UEFI rootkits are a real threat, and not merely an attractive conference topic.

And second, it serves as a heads-up, especially to all those who might be in the crosshairs of Sednit. This APT group, also known as APT28, STRONTIUM, Sofacy and Fancy Bear, may be even more dangerous than previously thought.

Our analysis of the Sednit campaign that uses the UEFI rootkit was presented September 27 at the 2018 Microsoft BlueHat conference and is described in detail in our “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group” white paper. In this blog post, we summarize our main findings.

The Sednit group has been operating since at least 2004, and has made headlines frequently in past years: it is believed to be behind major, high profile attacks. For instance, the US Department of Justice named the group as being responsible for the Democratic National Committee (DNC) hack just before the US 2016 elections. The group is also presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak, and many others. This group has a diversified set of malware tools in its arsenal, several examples of which we have documented previously in our Sednit white paper from 2016.

Our investigation has determined that this malicious actor was successful at least once in writing a malicious UEFI module into a system’s SPI flash memory. This module is able to drop and execute malware on disk during the boot process. This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user.

Our research has shown that the Sednit operators used different components of the LoJax malware to target a few government organizations in the Balkans as well as in Central and Eastern Europe...

Read more: LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group

Download research paper (PDF):

My System SpecsSystem Spec
27 Sep 2018   #2
F22 Simpilot

Windows 7 Ultimate x64

And yet they say UEFI is "so secure." I always knew this would be the case and that's why I chose legacy without secure boot. Thank God my MOBO supports it. I use Truecrypt after all and it can't use UEFI. Not using Veracrypt until someone audits it and I have any possible Evil Maid attack mitigated.

I've even read that UEFI makes a connection to the damn Internet. No way would I want that prior to Windows boot.


Perhaps a MOBO manufacture should supply a UEFI/BIOS hash check on the flash storage in their included MOBO utilities.
My System SpecsSystem Spec

 ESET discovers first LoJax UEFI rootkit malware by Sednit group

Thread Tools

Similar help and support threads
Thread Forum
Malware or Rootkit infection?
I originally had a thread in BSOD but was told to come here now after getting rid of BSOD's ( Here are rouge killer and TDSS Logs RogueKiller V8.5.4 by Tigzy mail :...
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:33.
Twitter Facebook Google+