UEFI rootkits are widely viewed as extremely dangerous tools for implementing cyberattacks, as they are hard to detect and able to survive security measures such as operating system reinstallation and even a hard disk replacement. Some UEFI rootkits have been presented as proofs of concept; some are known to be at the disposal of (at least some) governmental agencies. However, no UEFI rootkit has ever been detected in the wild – until we discovered a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a victim’s system.
The discovery of the first in-the-wild UEFI rootkit is notable for two reasons.
First, it shows that UEFI rootkits are a real threat, and not merely an attractive conference topic.
And second, it serves as a heads-up, especially to all those who might be in the crosshairs of Sednit. This APT group, also known as APT28, STRONTIUM, Sofacy and Fancy Bear, may be even more dangerous than previously thought.
Our analysis of the Sednit campaign that uses the UEFI rootkit was presented September 27 at the 2018 Microsoft BlueHat conference and is described in detail in our “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group” white paper. In this blog post, we summarize our main findings.
The Sednit group has been operating since at least 2004, and has made headlines frequently in past years: it is believed to be behind major, high profile attacks. For instance, the US Department of Justice named the group as being responsible for the Democratic National Committee (DNC) hack just before the US 2016 elections. The group is also presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak, and many others. This group has a diversified set of malware tools in its arsenal, several examples of which we have documented previously in our Sednit white paper from 2016.
Our investigation has determined that this malicious actor was successful at least once in writing a malicious UEFI module into a system’s SPI flash memory. This module is able to drop and execute malware on disk during the boot process. This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user.
Our research has shown that the Sednit operators used different components of the LoJax malware to target a few government organizations in the Balkans as well as in Central and Eastern Europe...
Read more: LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group
Download research paper (PDF): https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
Tweet
— Twitter API (@user) View on Twitter
My Computer
At a glance
64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
- Computer type
- PC/Desktop
- Computer Manufacturer/Model Number
- Self built custom
- OS
- 64-bit Windows 11 Pro for Workstations
- CPU
- Intel i7-8700K OC'd to 5 GHz
- Motherboard
- ASUS ROG Maximus XI Formula Z390
- Memory
- 64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
- Graphics Card(s)
- ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
- Sound Card
- Integrated
- Monitor(s) Displays
- 2 x Samsung Odyssey G7 27"
- Screen Resolution
- 2560x1440
- Hard Drives
- 1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
- PSU
- Seasonic Prime Titanium 850W
- Case
- Thermaltake Core P3
- Cooling
- Corsair Hydro H115i
- Keyboard
- Logitech wireless K800
- Mouse
- Logitech MX Master 4
- Internet Speed
- 2 Gb/s Download and 100 Mb/s Upload
- Antivirus
- Malwarebyte Anti-Malware Premium
- Browser
- Google Chrome
- Other Info
- Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone