A rootkit is a piece of software that hides itself on computer systems, and uses its root or administrator-level privileges to steal and alter documents, spy on users, and cause other mischief and headaches. A UEFI rootkit lurks in the motherboard firmware, meaning it starts up before the operating system and antivirus suites run, allowing it to bury itself deep in an infected machine, undetected and with high-level access privileges.
According to infosec biz ESET, a firmware rootkit dubbed LoJax targeted Windows PCs used by government organizations in the Balkans as well as in central and eastern Europe. The chief suspects behind the software nasty are the infamous Fancy Bear (aka Sednit aka Sofacy aka APT28) hacking crew, elsewhere identified as a unit of Russian military intelligence.
That’s the same Fancy Bear that’s said to have hacked the US Democratic Party’s servers, French telly network TV5, and others.
The malware is based on an old version of a legit application by Absolute Software called LoJack for Laptops, which is typically installed on notebooks by manufacturers so that stolen devices can be found.
Once up and alive, LoJax contacts command-and-control servers that are disguised as normal websites and are known to be operated by Russian intelligence. It then downloads its orders to carry out.
This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user.
There are firmware settings that can thwart the flash installation simply by blocking write operations. If BIOS write-enable is off, BIOS lock-enable is on, and SMM BIOS write-protection is enabled, then the malware can’t write itself to the motherboard’s flash storage.
Alternatively, wiping the disk and firmware storage will get rid of this particular rootkit strain.
Modern systems should be able to resist malicious firmware overwrites, we’re told, although ESET said it found at least one case of LoJax in the PC’s SPI flash.
“While it is hard to modify a system’s UEFI image, few solutions exists to scan system’s UEFI modules and detect malicious ones,” wrote Team ESET. “Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the average user. These advantages explain why determined and resourceful attackers will continue to target systems’ UEFI.”