October 4, 2018 By David Bisson 2 min read

For the first time ever, researchers discovered a Unified Extensible Firmware Interface (UEFI) rootkit in the wild that they believe the Sednit advanced persistent threat (APT) group used to execute LoJax malware.

Researchers at ESET observed an attack campaign distributing LoJax and three types of tools. The first component dumped system information into a text file. The second tool read the contents of the Serial Peripheral Interface (SPI) flash memory to save an image of the system’s firmware. The third wrote a UEFI module to the SPI flash memory and installed a UEFI rootkit that’s responsible for dropping LoJax onto the machine.

All Signs Point to Sednit

LoJax is a Trojanized version of LoJack, antitheft software that uses a UEFI and Basic Input/Output System (BIOS) module to help it resist operating system (OS) reinstallations and hard drive replacements. LoJax uses this same persistence method but calls to a malicious command-and-control (C&C) server.

ESET recognized some of the domains used by LoJax as those employed by SedUploader, the first-stage backdoor of Sednit. This discovery, along with other evidence, led ESET to attribute the campaign and UEFI rootkit to the APT group.

The UEFI rootkit used to distribute LoJax may be the first of its kind discovered in the wild, but researchers have uncovered others like it outside of active attack campaigns. Back in 2015, McAfee found a UEFI-based rootkit in the Hacking Team data breach. Individuals have also disclosed proof-of-concept UEFI rootkits on YouTube.

How to Defend Against LoJax Malware and UEFI Rootkits

According to ESET, organizations can defend themselves against LoJax malware and UEFI rootkits by enabling Secure Boot. The researchers also urged security teams to use the latest UEFI/BIOS available for their motherboard. Updating UEFI/BIO can result in performance degradation, so security professionals should consult their application vendors to determine the potential impact to their environments.

Sources: ESET, McAfee, YouTube

More from

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

How I got started: AI security researcher

4 min read - For the enterprise, there’s no escape from deploying AI in some form. Careers focused on AI are proliferating, but one you may not be familiar with is AI security researcher. These AI specialists are cybersecurity professionals who focus on the unique vulnerabilities and threats that arise from the use of AI and machine learning (ML) systems. Their responsibilities vary, but key roles include identifying and analyzing potential security flaws in AI models and developing and testing methods malicious actors could…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today