The Russian APT group Sednit (aka Fancy Bear and APT28) is strongly suspected to be the culprit behind a new rootkit malware program that can survive on an infected machine even if the operating system is reinstalled and the hard drive is replaced.
ESET researchers who discovered the rootkit say this is the first time researchers successfully detected an in-the-wild UEFI rootkit that exploits the Unified Extensible Firmware Interface specification that defines a software interface between an operating system and platform firmware. By penetrating this deeply into the computer, the attackers hope to achieve very strong persistence while remaining unnoticed for long periods of time.
Dubbed LoJax, the rootkit has already been used to silently target government organizations in the Balkans, as well as Eastern and Central Europe, ESET has reported in both a blog post and a white paper that was presented today at an industry conference.
A key component of the LoJax rootkit is a previously reported trojanized version of Absolute Software's LoJack security solution (hence, the malware's nickname). LoJack is pre-installed into the firmware of many laptop computers as a UEFI/BIOS module, and used to help individuals track down their lost or stolen computers. Its evil twin LoJax is similarly designed to operate as a UEFI/BIOS module, but it has been re-coded to contact a malicious command-and-control server instead of Absolute Software's server.
According to ESET, the attackers are using this trojanized program in conjunction with a series of additional tools including RwDrv.sys, a kernel driver that can access UEFI/BIOS settings; a free utility that can read information on a computer’s low-level system settings; and a third tool that dumps said settings data into a text file. "Since bypassing a platform’s protection against illegitimate firmware updates is highly platform-dependent, gathering information about a system’s platform is crucial," ESET explained in the blog.
Another designed tool is designed to save a firmware image to a file "by reading the contents of the SPI flash memory where the UEFI/BIOS is located," ESET continued. Yet another adds a malicious UEFI module to the firmware images and writes it back to the SPI flash memory, installing the UEFI rootkit on the system by abusing misconfigured platforms or by bypassing platform SPI flash memory write protections via an Intel BIOS vulnerability.
"The UEFI rootkit added to the firmware image has a single role: dropping the userland malware onto the Windows operating system partition and make sure that it is executed at startup," the blog post stated.
ESET researchers have tied the LoJax rootkit to Sednit with "high confidence" because it shares command-and-control domains with the APT group's SedUploader backdoor, and because systems targeted by LoJax "usually also showed signs" of not only SedUploader, but also Fancy Bear backdoor XAgent and network proxy tool Xtunnel.
The company recommends that users protect themselves from this rootkit threat by enabling Secure Boot, use the most updated UEFI/BIOS and the most modern chipsets with the Platform Controller Hub.