LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group September 27, 2018 https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ Research Paper (PDF): https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
Note that Win 10 secure boot option will prevent this malware: The driver noted is not Microsoft driver code signed. Also based on the increased number of postings on the Eset forum in regards to CompuTrace detections, Eset cannot differentiate between a legit factory install and a malicious version. Many laptops have CompuTrace installed by the manufacturers for theft tracking purposes.
Statement, in German, by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik; BSI): Stellungnahme des BSI zur Schadsoftware "LoJax" https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/LoJax-Schadsoftware_28092018.html PS: sorry, it is in German; I couldn't find at the moment an English version at the BSI site.
According to a search, the English translation of the quoted text appears to be: To be able to install LoJax at all, however, an offender must already have taken control of the computer, for example by exploiting known vulnerabilities in the operating system.
This is not 100% accurate. For example, its components could be bundled in a software installer you downloaded which would allow the driver to be installed w/o issue.
Most likely not needed to post now anymore some more links but I do it anyway: https://www.theregister.co.uk/2018/09/28/uefi_rootkit_apt28/ https://arstechnica.com/information...aptop-security-software-hijacked-by-russians/ --- And the thread at the Eset forum: https://forum.eset.com/topic/16998-uefi-rootkit-lojax/ From there a quote by Peter Randziak of Eset:
Cybaze ZLab- Yoroi team spotted a new variant of the APT28 Lojax rootkit November 16, 2018 https://securityaffairs.co/wordpress/78085/malware/apt28-lojax-variant.html
