ESET Research has published a paper detailing the discovery of a malware campaign that has been running since at least early 2017 and capable of surviving the re-installation of the Windows operating system or even hard drive replacement.
Dubbed “LoJax,” the malware is the first case of an attack leveraging the Unified Extensible Firmware Interface (UEFI) boot system being used in an attack by an adversary. It is believed to have been penned by the Sednit/Fancy Bear/APT 28 threat group—the Russian state-sponsored operation tied by US intelligence and law enforcement to the cyber-attack on the Democratic National Committee.
LoJax was built to be deployed remotely, using malware tools that can read and overwrite parts of the UEFI firmware’s flash memory.
“Along with the LoJax agents,” ESET researchers noted, “tools with the ability to read systems’ UEFI firmware were found, and in one case, this tool was able to dump, patch and overwrite part of the system’s SPI flash memory. This tool’s ultimate goal was to install a malicious UEFI module on a system whose SPI flash memory protections were vulnerable or misconfigured”.
While LoJax shows all the hallmarks of a state-funded attack, the Fancy Bear team borrowed from a commercial software product that was purpose-built to stay active in a computer’s firmware. LoJax’s rootkit is essentially a modified version of a 2008 release of the LoJack anti-theft agent from Absolute Software, known at release as Computrace.
“LoJack attracted a lot of attention in recent years as it implements a UEFI/BIOS module as a persistence mechanism,” the ESET team wrote. That firmware module ensured a software “small agent” stayed installed on the computer, which connected to an Absolute Web server—even if the computer had its drive wiped. In other words, Computrace was a commercially developed firmware rootkit.