A team of security analysts discovered a dangerous new weapon used by hackers — the Lojax UEFI rootkit which apparently is the first of it kind to be used against users. The collected information about it shows that it is run by the Sednit hacking group against high-profile targets in Europe.
The Lojax UEFI Rootkit Used Against Targets in Europe
Another dangerous weapon used by criminals has been discovered in an ongoing attack. The group behind it is the Sednit collective of hackers who have initiated a campaign against companies and individuals in Central and Eastern Europe. The main payload is called Lojax (alternatively known as LoJack) which is a UEFI rootkit, one of the most dangerous types of malware.
By definition this is malicious code that infects the UEFI code used to control the boot-up operations. They are very difficult to detect and prevent, a dangerous effect of this is the fact that many of them can withstand operating system reinstallations and even physical disk replacement.
It appears that one of the origins of the threat is a trojanized sample of Lojack, an anti-theft software developed by a legitimate developer. It is designed to monitor the host computers and notify of any incidents. It is implemented as a UEFI/BIOS module and the solution comes pre-installed in the firmware of many computers awaiting manual user activation.
The malicious samples of the Lojax UEFI rootkit were first detected in May 2018 that communicated with a malicious server instead of the legitimate one. The initial campaign targeted mainly The Balkans, Eastern Europe and countries from Central Europe. At this point the hackers were found to have made a Trojan derivative of the legitimate solution.
Further investigation into the matter revealed that several components are part of the infection:
- SedUploader — A first-stage backdoor which is responsible for the infection.
- XAgent — This is the main backdoor code that is the main malicious engine.
- Xtunnel — A network tunnel that is able to relay the network traffic between the C&C server and the infected host.
In practice the Lojax UEFI rootkit allows hackers low-level access to the compromised computers which is a critical vulnerability. Infections with this threat can allow it to deliver and execute malware before the operating system is booted and safety procedures are started.
Users can prevent themselves by enabling the Secure Boot option. When it is enabled each firmware component part of the boot processes needs to signed and verified. This is the recommended base defense against possible Lojax UEFI rootkit infections. Users are also advised to monitor and apply the latest patches from the motherboard vendors.