Published in News

Rootkit hits Windows Unified Extensible Firmware Interface

by on02 January 2019

Found by Sednit hunters

Insecurity experts hunting cyber-spy outfit Sednit have discovered the first instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks.

According to Threatpost Frédéric Vachon, a malware researcher at ESET published a technical write-up on his findings and said that finding a rootkit targeting a system’s UEFI was significant.

It means that rootkit malware programs can survive on the motherboard’s flash memory, giving it persistence and stealth.

“UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level”, he said.

Nicknamed LoJax the rootkit is a modified version of Absolute Software’s LoJack recovery software for laptops. The legitimate LoJack software was supposed to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system’s UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.

Absolute Software’s code dates to a vulnerable 2009 version, which had several key bugs which allowed Sednit to customise a single byte that contains the domain information for the legitimate software to connect to to download the recovery software.

The infection chain is typical: An attack begins with a phishing email or equivalent, successfully tricking a victim into downloading and executing a small rpcnetp.exe dropper agent. The rpcnetp.exe installs and reaches out to the system’s Internet Explorer browser, which is used to communicate with the configured domains.

“Once I have a foothold on the machine I can use this tool to deploy the UEFI rootkit”. Vachon explained, adding that the hacker tool takes advantage firmware vendors allowing remote flashing. “UEFI rootkit is located in the BIOS region of the serial peripheral interface (SPI) flash memory”, he said.

Last modified on 02 January 2019
Rate this item
(0 votes)

Read more about: