UEFI rootkit discovered in the wild, says security vendor

Infosec pros are being warned to make sure Secure Boot is enabled on all PCs after a security vendor says it found a rootkit used in an attack that can implant persistent malware on a system during the boot process.

ESET said this week it has discovered the rootkit it dubs LoJax, because the software has been adapted from the LoJack laptop tracking application. LoJax allows the installation of a malicious module into a computer’s Unified Extensible Firmware Interface (UEFI). UEFI connects the computer’s firmware to the operating system. Eventually, experts say, it will replace the BIOS. But as the system that checks the computer, corrupting it can make it easy for an attacker to install tools that evade security detection.

Until now UEFI rootkits hadn’t been seen, but ESET says it recently discovered a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a victim’s system. Other security researchers have given Sednit group names such as Fancy Bear and APT28 and linked it to Russia’s GRU army intelligence agency.

The discovery “shows that UEFI rootkits are a real threat, and not merely an attractive conference topic,” says ESET. And, it adds, because it is in the hands of a group like Sednit organizations that might be targets — like governments or media — should be warned.

“Our investigation has determined that this malicious actor was successful at least once in writing a malicious UEFI module into a system’s SPI flash memory,” said ESET. “This module is able to drop and execute malware on disk during the boot process. This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user.”

So far LoJax has only been used against a few government organizations in the Balkans as well as in Central and Eastern Europe, says ESET. Because Secure Boot should be enabled on recent computers it is also believed the LoJax attack only works on older chipsets.

Absolute Software is the developer of the legitimate LoJack software,

In May network performance management software provider Netscout said it had discovered several trojanized samples of LoJack’s small agent, rpcnetp.exe. Since this software’s goal is to protect a system from theft, it has to resist OS re-installation or hard drive replacement. It does that by installing itself as a UEFI/BIOS module. That would make it a good target for manipulation.

Note that LoJack comes pre-installed in the firmware of a large number of laptops in case the owners want to subscribe to the service.

ESET says the malicious LoJax includes tools that save an image of the system firmware to a file by reading the contents of the SPI flash memory where the UEFI/BIOS is located. Another tool adds a malicious UEFI module to the firmware image and write it back to the SPI flash memory, effectively installing the UEFI rootkit on the system.

The UEFI rootkit added to the firmware image has a single role: dropping the malware onto the Windows operating system partition and make sure that it is executed at startup.

What to do about it

Since Sednit’s UEFI rootkit is not properly signed the first security mechanism that could block such an attack is Secure Boot, says ESET. When Secure Boot is enabled, each and every firmware component that is loaded by the firmware needs to be properly signed, thus ensuring the integrity of the firmware. It can be enabled at boot through a system’s UEFI settings.

Second, make sure that each machine has the latest available UEFI/BIOS available for its motherboard. This may mean updating firmware, which has to be done carefully. Also, as the exploited vulnerability affects only older chipsets, make sure that critical systems have modern chipsets with the Platform Controller Hub (introduced with Intel Series 5 chipsets in 2008).

If you suspect a machine has been corrupted to remove the rootkit the SPI flash memory needs to be reflashed with a clean firmware image specific to the motherboard. Or, just replace the motherboard.

A detailed ESET white paper on LoJax can be found here.

(Correction: This story has been updated from the original to make it clear Absolute Software is the developer of LoJack. Netscout, which used to be called Arbor Networks, discovered trojanized versions of LoJack’s agent)

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Featured Reads