LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group

Discussion in 'malware problems & news' started by mood, Sep 27, 2018.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,834
    LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group
    September 27, 2018
    https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
    Research Paper (PDF): https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
     
  2. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,939
    Location:
    Texas
    I believe it was Eset who outed Fancy Bear
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,733
    Location:
    U.S.A.
    Note that Win 10 secure boot option will prevent this malware:
    The driver noted is not Microsoft driver code signed.

    Also based on the increased number of postings on the Eset forum in regards to CompuTrace detections, Eset cannot differentiate between a legit factory install and a malicious version. Many laptops have CompuTrace installed by the manufacturers for theft tracking purposes.
     
  4. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,545
    Statement, in German, by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik; BSI):
    Stellungnahme des BSI zur Schadsoftware "LoJax"
    https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/LoJax-Schadsoftware_28092018.html

    PS: sorry, it is in German; I couldn't find at the moment an English version at the BSI site.
     
  5. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    According to a search, the English translation of the quoted text appears to be:

    To be able to install LoJax at all, however, an offender must already have taken control of the computer, for example by exploiting known vulnerabilities in the operating system.
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,545
    Yes, I think that that is it.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,733
    Location:
    U.S.A.
    This is not 100% accurate. For example, its components could be bundled in a software installer you downloaded which would allow the driver to be installed w/o issue.
     
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,545
    Most likely not needed to post now anymore some more links but I do it anyway:
    https://www.theregister.co.uk/2018/09/28/uefi_rootkit_apt28/
    https://arstechnica.com/information...aptop-security-software-hijacked-by-russians/

    ---

    And the thread at the Eset forum:
    https://forum.eset.com/topic/16998-uefi-rootkit-lojax/

    From there a quote by Peter Randziak of Eset:
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,834
    Cybaze ZLab- Yoroi team spotted a new variant of the APT28 Lojax rootkit
    November 16, 2018
    https://securityaffairs.co/wordpress/78085/malware/apt28-lojax-variant.html
     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    80,055
    Location:
    Texas
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.