LoJax Malware Can Embed Itself In PC Firmware
Researchers at security company ESET say that they have found a new type of malware that embeds itself into a computer’s firmware (the UFEI), this means that removal is very difficult. The firmware can withstand all normal methods of discovery, it can’t be removed by anti-malware products, and it will still be there following a complete re-installation of an operating system or even the replacement of the computer’s hard disk.
The malware is created by Sednit also known as APT28, Sofacy, Strontium and Fancy Bear – has been operating since at least 2004, and has made headlines frequently in the past years, it is believed to be behind major, high profile attacks.
In May 2018, an Arbor Networks blogpost describing several trojanized samples of the LoJack small agent, rpcnetp.exe, was published. These malicious samples communicated with a malicious C&C server instead of the legitimate Absolute Software one, because their hardcoded configuration settings had been altered. Some of the domains found in LoJax samples had been seen before: they were used in late 2017 as C&C domains for the notorious Sednit first-stage backdoor, SedUploader.
UEFI rootkits are one of the most powerful tools in an attacker’s arsenal as they are persistent across OS re-install and hard disk changes and are extremely difficult to detect and remove. While it is hard to modify a system’s UEFI image, few solutions exists to scan system’s UEFI modules and detect malicious ones. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the average user. These advantages explain why determined and resourceful attackers will continue to target systems’ UEFI.
Protecting against LoJax infection is possible by enabling the Secure Boot mechanism, which checks that every component loaded by the system firmware is signed with a valid certificate.
Since LoJax rootkit is not signed, Secure Boot can prevent it from dropping the malware in the first place.
Read further technical information here.
Indicators Of Compromise
C&C server domain names
secao[.]org
ikmtrust[.]com
sysanalyticweb[.]com
lxwo[.]org
jflynci[.]com
remotepx[.]net
rdsnets[.]com
rpcnetconnect[.]com
webstp[.]com
elaxo[.]org
C&C server IPs
185.77.129[.]106
185.144.82[.]239
93.113.131[.]103
185.86.149[.]54
185.86.151[.]104
103.41.177[.]43
185.86.148[.]184
185.94.191[.]65
86.106.131[.]54
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.