A group of security researchers tracking the operations of a cyber-espionage group discovered a new rootkit that works on UEFI (Unified Extensible Firmware Interface) and currently in operation in the wild.

According to ESET, this threat actor integrated the rootkit in the SPI flash module on the target computer. This allows the rootkit persistence over the system even if components like the OS and/or hard drive are replaced. That’s a very powerful ability and dangerous.

The security researchers gave the rootkit a nice name – LoJax. The name came from the malicious samples of the LoJack anti-theft software.

Signed drivers for accessing the firmware

According to the security researchers, there were 3 different types of tools on the victim’s computers where 2 of them gathers the details about the system firmware and creates a copy of the system firmware by reading the SPI flash memory module.

The last one then injects the malicious module inside the gathered firmware copy. Then, the modified copy is flashed to the SPI flash memory. Thus, ultimate persistency for the malware.

For reaching the UEFI settings, all the tools present in the rootkit uses the kernel driver of the RWEverything – a tool giving the power to modify all the settings and firmware of almost ALL the hardware. The driver comes up with a valid certificate and that’s the catch.

According to ESET, the patching tool uses various techniques for abusing the misconfiguration of the system or even bypass the SPI flash memory write protections. If the write operations are denied from the system, then the rootkit exploits a 4-years old race condition vulnerability in UEFI (CVE-2014-8273) for bypassing this defense.

The ultimate target of the rootkit is just dropping the malware into the Windows system and making sure that it integrates in the OS every time the system boots.

Defense against LoJax

Despite using advanced methods, LoJax is easily defendable with the currently available methods. First of all, make sure that you enable “Secure Boot” mechanism. This ensures that everything that’s loaded in the system firmware comes up with a valid certificate. LoJax isn’t signed, so it won’t be able to load due to “Secure Boot”.

Another very crucial thing is to make sure that your motherboard has the latest version of firmware. For upgrading your motherboard firmware, check out the official website of your motherboard vendor. After upgrading to the latest version, the firmware should fix and tighten the protection for the SPI flash memory module.

If your system has the latest firmware, you can reflash the firmware. It involves downloading the latest firmware package from motherboard vendor’s website and applying it again. Different motherboard vendors provide different ways of reflashing/updating the firmware.

LoJax is a threat for high-value targets, so general users shouldn’t be afraid of it just yet. Make sure that you take the necessary steps to tighten your system security and you’re good to go!

Cheers!