First UEFI rootkit spotted in the wild

Posted on Tuesday, October 02 2018 @ 15:22 CEST by Thomas De Maesschalck
ESET security researchers reveal hackers are actively using a rootkit that targets the Unified Extensible Firmware Interface (UEFI). The benefit of hiding malware into UEFI is that it's very hard to spot, as well as difficult to remove. This sort of malware doesn't care whether you reinstall your operating system, or switch to a new HDD/SSD, as it resides in the SPI flash memory on your motherboard, where the UEFI firmware is located.

The UEFI malware is linked to Fancy Bear (also known as APT28, Pawn Storm, Sofacy Group, Sednit and STRONTIUM), a threat group that may have ties with the Russian military intelligence agency GRU. Bleeping Computer has more details about the rootkit over here.
The researchers named the rootkit LoJax, after the malicious samples of the LoJack anti-theft software that were discovered earlier this year. That hijacking operation of the legitimate software was also the work of ATP28.

"On systems that were targeted by the LoJax campaign, we found various tools that are able to access and patch UEFI/BIOS settings," ESET says in a report shared with BleepingComputer.
The site suggests you can protect yourself against LoJax by switching on Secure Boot. Overall, the risk for average users is low, as LoJax is aimed at high-value targets.

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.


Loading Comments

Share this story!

Latest news

Latest reviews