Windows 10: ESET discovers first LoJax UEFI rootkit malware by Sednit group

Page 1 of 5 123 ... LastLast
  1. Brink's Avatar
    Posts : 33,018
    64-bit Windows 10 Pro build 18252
       2 Weeks Ago #1

    ESET discovers first LoJax UEFI rootkit malware by Sednit group


    UEFI rootkits are widely viewed as extremely dangerous tools for implementing cyberattacks, as they are hard to detect and able to survive security measures such as operating system reinstallation and even a hard disk replacement. Some UEFI rootkits have been presented as proofs of concept; some are known to be at the disposal of (at least some) governmental agencies. However, no UEFI rootkit has ever been detected in the wild – until we discovered a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a victim’s system.

    The discovery of the first in-the-wild UEFI rootkit is notable for two reasons.

    First, it shows that UEFI rootkits are a real threat, and not merely an attractive conference topic.

    And second, it serves as a heads-up, especially to all those who might be in the crosshairs of Sednit. This APT group, also known as APT28, STRONTIUM, Sofacy and Fancy Bear, may be even more dangerous than previously thought.

    Our analysis of the Sednit campaign that uses the UEFI rootkit was presented September 27 at the 2018 Microsoft BlueHat conference and is described in detail in our “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group” white paper. In this blog post, we summarize our main findings.

    The Sednit group has been operating since at least 2004, and has made headlines frequently in past years: it is believed to be behind major, high profile attacks. For instance, the US Department of Justice named the group as being responsible for the Democratic National Committee (DNC) hack just before the US 2016 elections. The group is also presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak, and many others. This group has a diversified set of malware tools in its arsenal, several examples of which we have documented previously in our Sednit white paper from 2016.

    Our investigation has determined that this malicious actor was successful at least once in writing a malicious UEFI module into a system’s SPI flash memory. This module is able to drop and execute malware on disk during the boot process. This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user.

    Our research has shown that the Sednit operators used different components of the LoJax malware to target a few government organizations in the Balkans as well as in Central and Eastern Europe...


    Read more: LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group

    Download research paper (PDF): https://www.welivesecurity.com/wp-co...ESET-LoJax.pdf


      My ComputersSystem Spec

  2. essenbe's Avatar
    Posts : 11,342
    Windows 10 Pro and Windows 10 Pro Insider
       2 Weeks Ago #1

    That sounds like some serious stuff. Make me glad I use ESET.
      My ComputersSystem Spec

  3. DooGie's Avatar
    Posts : 4,341
    Wndows 10 x64 Home version 1809
       2 Weeks Ago #2

    essenbe said: View Post
    That sounds like some serious stuff. Make me glad I use ESET.
    Same here Steve
      My ComputerSystem Spec

  4.    2 Weeks Ago #3

    Hardware based droppers have been around for some time now, started in 2016.
    It doesn't 'Drop' or 'Execute', it call out and DL's the malware, turns your PC into a VM .... Welcome to the Botnet.
    Extensively, in the 'Device Manager' you have an option to update your bios:
    Click image for larger version. 

Name:	2018-09-27_151346.jpg 
Views:	3 
Size:	109.5 KB 
ID:	205897
    It doesn't take much to hijack this process and flash a malicious script.
    MSU for W10 will eventually be an automatic install for this procedure.

    LINUX ......
      My ComputersSystem Spec


  5. Posts : 613
    Windows 10 Home SL 64-bit, v1803
       2 Weeks Ago #4

    Not all systems have the option to update the BIOS from inside the OS.
      My ComputerSystem Spec

  6.    2 Weeks Ago #5

    RoasterMen said: View Post
    Not all systems have the option to update the BIOS from inside the OS.
    Does this means PCs not having the Device Manager option above are safe from this attack method?
      My ComputersSystem Spec


  7. Posts : 199
    Microsoft Windows 10 x64
       2 Weeks Ago #6

    hello,

    If I flashed the BIOS with the original manufacturer BIOS firmware and if it is not modified
    Does this mean I am safe ?
      My ComputerSystem Spec

  8.    2 Weeks Ago #7

    This sounds very serious (as Essenbe said above). Viruses are become more and more sophisticated. As I haven't notice any sign of benefits about using GPT/UEFI partition schemes, I think I may be returning to good old MBR when new Windows (v1809) arrives. I don't know. What do you think?
    In all seriousness,GPT/UEFI doesn't provide anything fancy, despite Intel claims. I do a lot of backups with Macrium Reflect, so I am not worried about partition corruption and such.
      My ComputerSystem Spec

  9.    2 Weeks Ago #8

    eLPuSHeR said: View Post
    This sounds very serious (as Essenbe said above). Viruses are become more and more sophisticated. As I haven't notice any sign of benefits about using GPT/UEFI partition schemes, I think I may be returning to good old MBR when new Windows (v1809) arrives. I don't know. What do you think?
    In all seriousness,GPT/UEFI doesn't provide anything fancy, despite Intel claims. I do a lot of backups with Macrium Reflect, so I am not worried about partition corruption and such.
    I thought it was easier to infect the MBR?
      My ComputersSystem Spec

  10.    2 Weeks Ago #9

    This hardware base malware payload is not introduced via social engineering, it is in its current state, introduce to the targeted PC by, a person.
    This will have to be in the factory, at a service center, repair depot, large academic or learning center, any large global company that has an IT department.....Even a municipal, State/Provincial or Federal Employee has an IT department.....You get the idea

    It's not inconceivable that a service/repair/production line employee at any major PC company could be bribed to have a hand in this. The lure of money is too great, you don't need to be under finical distress to fold under the pressure of CA$H in hand.

    In 2012, the MBR ZeroAccess Rootkit BotNet was worth 2.7 Million per year, and an estimated $100,000 USD per day for clickjacking and up to $900,000.00 in fraudulent clicks.......That's 2012! The botnet has quadrupled in size.

    Its about money, lots of it, and someone out there is worth more than Trump/Putin and Mao combined, they just cant advertise it or be on the cover of Forbes.

    Dump a payload into a production line system for half million, sure, why not.

    Also, did you notice that MS Firmware update driver is dated 2006 .... That doesn't inspire confidence in me....

    Linux, my next machine is going to be Linux.....

    And then there's RAM based malware, another hardware based payload.
    Undetectable by ALL current AV/AM programs.
    Writes itself to RAM, does its thing, disappears when the PC is shut down.
    Not there when it starts up, MBR/Boot time scans will not detect it.
    Last edited by Penny K; 2 Weeks Ago at 03:49.
      My ComputersSystem Spec


 
Page 1 of 5 123 ... LastLast

Related Threads
Hi everyone absolute newbie here So just this day i was working on my thesis and i had to use a friend's flash drive cause our files were in there, so i scanned it thoroughly first with Malwarebytes and Avast, and it showed no viruses. But...
Every...i mean every anti malware blocked by unknown malware/virus in AntiVirus, Firewalls and System Security
i have looked up this issue and apparently this must be a new one since there is no solution what so ever, even the hidden admin account is defenseless, here is what's going on 1. the PC got infected on windows defenders watch, the infection...
ESET Internet Security® 10 and ESET® NOD32® Antivirus 10 - 2017 Edition Beta 83163 83164 Source and Beta download: http://www.eset.com/int/beta/edition2017/
Malware/eset in AntiVirus, Firewalls and System Security
Has any body have this happen ? Windows 10 Pro,eset and malwarebytes paid.I was on the internet looking at sites with Pictures of Tv Stars. Close my browser (firefox). Got a popup that defender needs to scan you computer (i'm using eset. Checked...

Tags for this Thread

Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 19:26.
Find Us