A security researcher from ESET has discovered the first Unified Extensible Firmware Interface (UEFI) rootkit which was in wild and dubbed as "LoJax". An interesting thing is that this malware was first used by the Advanced Persistent Threat (APT) Group Sednit, which are also known as APT28, STRONTIUM, Sofacy, and Fancy Bear.
This elite hackers group mainly use this malware to target Central and Eastern Europe zone and other government organization also.
The researcher noted that this UEFI rootkit bundled with tools that can patch a victim's system firmware so that the malware is installed deep in the system targeted by LoJax. ESET claimed that the rootkit was successfully used once in writing a malicious UEFI module into a system’s SPI flash memory, with the module capable of executing malware on disk during the boot process.
Sednit has been used in several high-profile cyber attacks across the globe. Moreover, on Democratic National Committee (DNC) hack Sednit was used. It was pointed out that the hackers group was sponsored by the Russian government. Recently, Microsoft has also seized several Russian-operated websites spoofing U.S. conservative group.
Eset expert says the UEFI rootkit is not properly signed, which means any form of attack using that malware can be circumvented through the Secure Boot mechanism. So it is recommended to enable Secure Boot so that each component loaded by the firmware must be signed properly.
This elite hackers group mainly use this malware to target Central and Eastern Europe zone and other government organization also.
The researcher noted that this UEFI rootkit bundled with tools that can patch a victim's system firmware so that the malware is installed deep in the system targeted by LoJax. ESET claimed that the rootkit was successfully used once in writing a malicious UEFI module into a system’s SPI flash memory, with the module capable of executing malware on disk during the boot process.
Sednit has been used in several high-profile cyber attacks across the globe. Moreover, on Democratic National Committee (DNC) hack Sednit was used. It was pointed out that the hackers group was sponsored by the Russian government. Recently, Microsoft has also seized several Russian-operated websites spoofing U.S. conservative group.
Eset expert says the UEFI rootkit is not properly signed, which means any form of attack using that malware can be circumvented through the Secure Boot mechanism. So it is recommended to enable Secure Boot so that each component loaded by the firmware must be signed properly.