A rootkit is a particularly nasty type of malware. A “regular” malware infection loads when you enter the operating system. It is still a bad situation, but a decent antivirus should remove the malware and clean up your system.
Conversely, a rootkit installs to your system firmware and allows for the installation of a malicious payload each time you reboot your system.
Security researchers have spotted a new rootkit variant in the wild, named LoJax. What sets this rootkit apart from others? Well, it can infect modern UEFI-based systems, rather than older BIOS-based systems. And that is a problem.
The LoJax UEFI Rootkit
ESET Research published a research paper that details LoJax, a newly discovered rootkit (what is a rootkit?) that successfully re-purposes a commercial software of the same name. (Although the research team christened the malware “LoJax,” the genuine software is named “LoJack.”)
Adding to the threat, LoJax can survive a complete Windows re-installation and even replacement of the hard drive.
The malware survives by attacking the UEFI firmware boot system. Other rootkits might hide in drivers or boot sectors, depending on their coding and the intent of the attacker. LoJax hooks into the system firmware and re-infects the system before the OS even loads.
As yet, the only known method to completely remove the LoJax malware is flashing new firmware over the suspect system. A firmware flash isn’t something most users have experience with. While easier than in the past, there is still a significant that flashing a firmware will go wrong, potentially bricking the machine in question.
How Does the LoJax Rootkit Work?
LoJax uses a repackaged version of Absolute Software’s LoJack anti-theft software. The original tool is meant to be persistent throughout a system wipe or hard drive replacement so the licensee can track a stolen device. The reasons for the tool burrowing so deep into the computer are fairly legitimate, and LoJack is still a popular anti-theft product for these exact qualities.
Given that, in the US, 97 percent of stolen laptops are never recovered, it’s understandable users want extra protection for such an expensive investment.
LoJax uses a kernel driver, RwDrv.sys, to access the BIOS/UEFI settings. The kernel driver is bundled with RWEverything, a legitimate tool used to read and analyze low-level computer settings (bits you normally do not have access to). There were three other tools in the LoJax rootkit infection process:
- The first tool dumps information about the low-level system settings (copied from RWEverything) to a text file. Bypassing system protection against malicious firmware updates requires knowledge of the system.
- The second tool “saves an image of the system firmware to a file by reading the contents of the SPI flash memory.” The SPI flash memory hosts the UEFI/BIOS.
- A third tool adds the malicious module to the firmware image then writes it back to the SPI flash memory.
If LoJax realizes that the SPI flash memory is protected, it exploits a known vulnerability (CVE-2014-8273) to access it, then continues and writes the rootkit to memory.
Where Did LoJax Come From?
The ESET Research team believe that LoJax is the work of the infamous Fancy Bear/Sednit/Strontium/APT28 Russian hacking group. The hacking group is responsible for several major attacks in recent years.
LoJax uses the same command and control servers as SedUploader—another Sednit backdoor malware. LoJax also has links and traces of other Sednit malware, including XAgent (another backdoor tool), and XTunnel (a secure network proxy tool).
Additionally, the ESET research found that the malware operators “used different components of the LoJax malware to target a few government organizations in the Balkans as well as Central and Eastern Europe.”
LoJax Isn’t the First UEFI Rootkit
The news of LoJax certainly caused the security world to sit up and take note. However, it isn’t the first UEFI rootkit. The Hacking Team (a malicious group, just in case you were wondering) was using a UEFI/BIOS rootkit back in 2015 to keep a remote-control system agent installed on target systems.
The major difference between The Hacking Team UEFI rootkit and LoJax is the method of delivery. At the time, security researchers thought that The Hacking Team required physical access to a system to install the firmware-level infection. Of course, if someone has direct access to your computer, they can do what they want. Still, the UEFI rootkit is especially nasty.
Is Your System at Risk From LoJax?
Modern UEFI-based systems have several distinct advantages over their older BIOS-based counterparts.
For one, they’re newer. New hardware isn’t the be all and end all, but it does make many computing tasks easier.
Secondly, UEFI-firmware has a few additional security features, too. Particularly of note is Secure Boot, which only allows programs with a signed digital signature to run.
If this is turned off and you encounter a rootkit, you’re going to have a bad time. Secure Boot is a particularly useful tool in the current age of ransomware, too. Check out the following video of Secure Boot dealing with the extremely dangerous NotPetya ransomware:
NotPetya would have encrypted everything on the target system had Secure Boot been turned off.
LoJax is a different kind of beast altogether. Contrary to earlier reports, even Secure Boot cannot stop LoJax. Keeping your UEFI firmware up to date is extremely important. There are some specialized anti-rootkit tools, too, but it is unclear if they can protect against LoJax.
However, like many threats with this level of capability, your computer is a prime target. Advanced malware predominantly focuses on high-level targets. Furthermore, LoJax has the indications of nation-state threat actor involvement; another strong chance LoJax won’t affect you in the short term. That said, malware has a way of filtering out into the world. If cybercriminals spot the successful use of LoJax, it might become more commonplace in regular malware attacks.
As ever, keeping your system up to date is one of the best ways to protect your system. A Malwarebytes Premium subscription is a great help, too.