Blog Post
UEFI Rootkit
Oct 30, 2018
Until August this year, no UEFI rootkit has ever been detected in a real cyber attack. They have been presented at security conferences as proofs of concept and are known to be at the disposal of governmental agencies.
Late September 2018, Security researchers from ESET came across a Unified Extensible Firmware Interface (UEFI) rootkit (named LoJax by ESET, detected by Trend Micro as BKDR_FALOJAK.USOMON and Backdoor.Win32.FALOJAK.AA) in the wild being used for cyberespionage based on a campaign by the Sednit APT group. The UEFI rootkit was found bundled together with a toolset able to patch a victim's system firmware in order to install malware at this deep level.
The rootkit is reportedly packaged with other tools that modify the system’s firmware to infect it with malware.
Malware is dropped off onto the system and ensures it is executed when the computer boots. LoJax affects UEFI, which provides an interface for the system’s operating system (OS) to connect with the firmware. As such, LoJax can persist in the UEFI even if the system’s OS is reinstalled or its hard drives replaced. If infection is successful, attackers can use LoJax to remotely access the system constantly and install and execute additional malware on it. The security researchers said that it can also be used to track the system’s location and possibly that of the system's owner.
Late September 2018, Security researchers from ESET came across a Unified Extensible Firmware Interface (UEFI) rootkit (named LoJax by ESET, detected by Trend Micro as BKDR_FALOJAK.USOMON and Backdoor.Win32.FALOJAK.AA) in the wild being used for cyberespionage based on a campaign by the Sednit APT group. The UEFI rootkit was found bundled together with a toolset able to patch a victim's system firmware in order to install malware at this deep level.
The rootkit is reportedly packaged with other tools that modify the system’s firmware to infect it with malware.
Malware is dropped off onto the system and ensures it is executed when the computer boots. LoJax affects UEFI, which provides an interface for the system’s operating system (OS) to connect with the firmware. As such, LoJax can persist in the UEFI even if the system’s OS is reinstalled or its hard drives replaced. If infection is successful, attackers can use LoJax to remotely access the system constantly and install and execute additional malware on it. The security researchers said that it can also be used to track the system’s location and possibly that of the system's owner.
What is UEFI (Unified Extensible Firmware Interface)?
The computer code that starts right after the computer is turned on and has the ultimate power over the computer’s operating system (and thus the whole machine) is called firmware. The standard – think of it as a set of rules – for how the firmware behaves is called UEFI (its predecessor was called BIOS). Firmware and UEFI (Unified Extensible Firmware Interface) are often linked together and called UEFI firmware.
A rootkit is a dangerous malware designed to gain “illegal” and persistent access to what is otherwise not allowed. Typically, a rootkit also masks its existence or the existence of other malware.
The computer code that starts right after the computer is turned on and has the ultimate power over the computer’s operating system (and thus the whole machine) is called firmware. The standard – think of it as a set of rules – for how the firmware behaves is called UEFI (its predecessor was called BIOS). Firmware and UEFI (Unified Extensible Firmware Interface) are often linked together and called UEFI firmware.
A rootkit is a dangerous malware designed to gain “illegal” and persistent access to what is otherwise not allowed. Typically, a rootkit also masks its existence or the existence of other malware.
Let us share our IT expertise to build your business success.
CALL US TODAY
+64 3 377 4662
FIND US AT
43 Moorhouse Avenue
Addington
Christchurch 8011
Addington
Christchurch 8011
© Computer Culture 2021- 2024, Registered in New Zealand No. 1981065. Site powered by Concilio
,