LoJax: First UEFI Malware seen in the Wild

Most hackers and threat actors are often content to copy the work of others. This means that most of the world’s cyber-attack campaigns are conducted using tried and tested tactics and already existing, if slightly modified, malware variants. When a new and original method of attack becomes apparent the InfoSec community most certainly takes note. Security researchers at ESET definitely have the community’s attention with their report on LoJax.

LoJax is possibly the first case of an attack leveraging the Unified Extensible Firmware Interface (UEFI) boot system being used in an attack by a threat actor. In summary, the malware uses repurposed commercial software to create a backdoor in a computer’s firmware. The campaign using the malware has been active since 2017 and it is capable of surviving the re-installation of the Windows operating system or even hard drive replacement. While the malware had been spotted previously, ESET’s research is the first to show that it was actively attacking the firmware of computers to establish a tenacious foothold. What’s more, ESET has attributed the spread of the malware to Sednit, also known as FancyBear, the Russian state-sponsored operation tied by US intelligence and law enforcement to the cyber-attack on the Democratic National Committee.

UEFI and its Security Concerns

The Unified Extensible Firmware Interface, or simply known as UEFI, is a specification for a software program that connects a computer's firmware to its operating system. UEFI is seen by the tech industry as the eventual replacement of BIOS. Like BIOS, UEFI is installed at the time of manufacturing and is the first program that runs when a computer is turned on. It checks to see what hardware components the computing device has, then wakes the components up and hands them over to the operating system so that the user can use them. The new specification addresses many of the limitations of BIOS, including restrictions on hard disk partition size and the amount of time BIOS takes to perform its tasks.

lojax spyware in the wild

While UEFI is set to replace BIOS, there have been a number of security concerns raised with it. Dick Wilkins and Jim Mortensen of firmware developer Phoenix Technologies in a presentation at UEFI Plugfest last year stated,

“Firmware is software and is therefore vulnerable to the same threats that typically target software,”

There are many who have compared UEFI to a lightweight operating system, this, in turn, makes it susceptible to rootkits, which are a set of software tools that enable an unauthorized user to gain control of a computer system without being detected.

LoJax and its Authors

According to ESET, LoJax shows many of the traits of a state-funded campaign. While it may be the first case of UEFI malware in the wild, the authors stole important infrastructure requirements from a commercial software product designed to stay active in a computer’s firmware. LoJax’s rootkit is essentially a modified version of a 2008 release of the LoJack anti-theft agent from Absolute Software, known at release as Computrace. The authors of LoJax are not the only threat actors who saw the illicit possibilities offered by Computrace. Arbor Networks discovered trojanized samples of modified LoJack modules. In both instances, the module of interest creates a “small agent” which ensures the agent remains installed on the target computer. Of particular interest to malware authors would be that the protocols used by the client associated with LoJack/Computrace had no authentication, when used correctly the threat actor would be able to hijack the client to their own ends. While this issue was brought up by researchers in 2014, it took four years for someone to exploit these concerns.

The exploitation of these gaps in security is beyond the scope of the run of the mill hacker. While it is not impossible for an individual to do, the creation of such malware is generally done by well-funded state-actors like FancyBear. ESET was very clear in their attribution, with the attribution been based on the use of known tactics and tools used by FancyBear with the security firm listing previous reports as evidence. ESET to highlight the seriousness of this campaign the firm concluded,

“UEFI rootkits are one of the most powerful tools in an attacker’s arsenal as they are persistent across OS re-install and hard disk changes and are extremely difficult to detect and remove. While it is hard to modify a system’s UEFI image, few solutions exist to scan system’s UEFI modules and detect malicious ones. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the average user. These advantages explain why determined and resourceful attackers will continue to target systems’ UEFI.”

FancyBear and the GRU

 Russian hackers, state-sponsored or otherwise are never far from a headline or two. At the time of writing, this maxim proved true once again. On October 4, 2018, the BBC reported that the British government has accused Russia's military intelligence service (GRU) of being behind four high-profile cyber attacks. The British government’s National Cyber Security Centre has also associated FancyBear, or Sednit, with the Russian military intelligence service. In an interview with the media British Foreign Secretary Jeremey Hunt said,

“The GRU's actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behavior demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.”

Further, the Foreign Secretary added, “Our message is clear: together with our allies, we will expose and respond to the GRU's attempts to undermine international stability.” Given the climate between Russia, the UK, and many other Western countries this is neither the first nor the last time the cyber espionage war between the nations will make headlines and brought into the public spotlight.

Malware activity

Global virus and spyware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal