I made an account just give everyone a little heads up ... I actually laughed out loud when I seen this article published ... Because I have been battling ... No, getting rofl stomped for almost 6 months trying regain the nearly brand new high end hardware that initially got hit with one of these UEFI rootkit/bootkits ... Which I have come to suspect is a code implant in the SPI memory that sits at the helm of a very complex and highly customizable malware framework ...
Think of a highly advanced variation of the metasploit framework... With a root/boot kit implant on the target machine(s) providing a somewhat autonomous monitoring, control and configuration platform that with capability to manage and number of targets ... Or victims rather, because le5s face it ... This sort of attack vector in any but the most serious legal scenarios ... Is nothing short of domestic terrorism... This article about Lojax makes it sound to me like the peace-loving flowerchild sibling of this nightmareware that has been wrecking my life for the past 6 months.
Sure, it flashes that poisoned code to the SPI memory... But trust me that is just like the sweet and tender first kiss... Before the malicious grudge [expletive] starts... It does a lot of different things... Like flash out the rom on your GPU then set up a virtual raid in the video memory, report bad, bad hard disk clusters to the OS effectively creating private unscanned HD space at will... It creates a virtual SCSI bus and flashes the firmware on devices like CD/DVD ROMs and hard drives then uses supposedly generic MS dr8vers to route all your devices onto that bus ...
Where it has complete control to inject malware in real time should you try and boot up live CDs or whatever... It will poison any images you try to DL or burn, I have seen crazy, crazy things while studying this ... Thing, and don’t think for a second that it is not still under heavy development and being ... And I quote "field tested" directly from comments in multiple configuration files and logs ... It’s often referred to as their "EXPERIMENT" ...
It may very well be the group that is being credited, it could also very well not be ... There is no way to certain of anything at this point to be honest. The only thing for certain is that whatever this "project" is ... It’s WELL funded and adequately staffed... Around the clock with frighteningly skilled mechanics. It uses Bluetooth primarily for network connection ... Right under your nose at first ...
And if it connects to your router ... Ever device. Connected to it will get its firmware flashed and become an attack vector and asset. I have documented tons of files, config scripts, instructional comments ... Logs ... And even a folder with 300+ poisoned firmware images at one point, for a wide variety of devices ... Complete with instructions and pointers on the best methods to compromise these devices for remote firmware flashing... At one point my rig was being configured via a repurposed version of puppet enterprise it automation software... Then a day or so later its mode of attack and control was something else... So yeah, this is some next level [expletive] …
And its unnerving when you realize your computer has been virtualized on your own hardware and someone else is in the hypervisor seat... That your audio devices are recording ... and listening for key words ... All. By persons unknown and without explanation.
Anyways stay alert, look into hardware methods of trust certificate storage, and invest in a device that you can manually reflash things like the SPI memory with. Lol. I have like 4 or 5 machines with full blown nightmareware infections ... I am trying to decide what to do at this point.
Sorry for the crazy sounding rant... But some bank in the Balkans is NOT the first victim of this sort of thing ... I can say that with 100% certainty.
Sorry for [expletive] composition here but this is quick rant via a phone... Hope it helps someone in some way, at some point.
Quote