Russian Sednit APT used the first UEFI rootkit of ever in attacks in the wild
27.9.2018 securityaffairs
APT

Security experts from ESET have spotted the first UEFI rootkit of ever, the code tracked as LoJax was used in attacks in the wild.
Security researchers from ESET have discovered a new piece of a sophisticated malware used by the Russia-linked Sednit group (aka Fancy Bear, APT28, Pawn Storm, Sofacy Group, and STRONTIUM) in targeted attacks aimed at government entities in the Balkans as well as in Central and Eastern Europe.

The malicious code tracked as LoJax is considered the first UEFI rootkit used in attacks in the wild.

Security experts have debated for a long about UEFI rootkits that are very dangerous malware hard to detect and that could resist to the operating system reinstallation and even to the hard disk replacement.

“The discovery of the first in-the-wild UEFI rootkit is notable for two reasons.” reads the analysis published by ESET.

“First, it shows that UEFI rootkits are a real threat, and not merely an attractive conference topic.

And second, it serves as a heads-up, especially to all those who might be in the crosshairs of Sednit. This APT group, also known as APT28, STRONTIUM, Sofacy and Fancy Bear, may be even more dangerous than previously thought.”

The Sednit APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The discovery marks a milestone in the evolution of the group, it represents an escalation in the complexity of its attacks, the cyber capabilities of the group may be even more dangerous than previously thought.

The LoJax UEFI rootkit borrows a portion of the code of the anti-theft software LoJack.

LoJack for laptops is a security software designed to catch computer thieves, but it could be theoretically abused to spy on legitimate owners of the device.

LoJack could be used to locate a stolen laptop, lock it or wipe its content, it is a precious application for enterprises that want to implement an additional protection of their assets.

Early this year, experts from Arbor Networks discovered several LoJack agents that were found to be connecting to servers that are believed to be controlled by the notorious Russia-linked Fancy Bear APT group.

“ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains.” reads the report published by Netscout.

“ASERT has identified five Lojack agents (rpcnetp.exe) pointing to 4 different suspected domains. Fancy Bear has been tied to three of the domains in the past.”

Five LoJack agents discovered by the experts were pointing to four C&C servers, three of which have been associated with past campaigns conducted by the Fancy Bear APT group.

LoJax exhibits rootkit-like capabilities, it is implemented as a UEFI/BIOS module to survive to the OS reinstallation and hard drive replacement.

“Since this software’s intent is to protect a system from theft, it is important that it resists OS re-installation or hard drive replacement.” continues the report.

“Thus, it is implemented as a UEFI/BIOS module, able to survive such events. This solution comes pre-installed in the firmware of a large number of laptops manufactured by various OEMs, waiting to be activated by their owners.”

The researchers from ESET revealed that the APT group was successful at least once in writing a malicious UEFI module into a system’s SPI flash memory.

The module was abused to drop and execute the malicious code on disk during the boot process. The only way to remove the malware is reflashing the UEFI firmware

UEFI rootkit LoJax

Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user.

Experts linked the attacks to Sednit hackers thanks to the analysis of the code and the identification of the Command and Control infrastructure.

“As mentioned above, some of the LoJax small agent C&C servers were used in the past by SedUploader, a first-stage backdoor routinely used by Sednit’s operators. Also, in cases of LoJax compromise, traces of other Sednit tools were never far away.” concludes the report.

“In fact, systems targeted by LoJax usually also showed signs of these three examples of Sednit malware:

SedUploader, a first-stage backdoor
XAgent, Sednit’s flagship backdoor
Xtunnel, a network proxy tool that can relay any kind of network traffic between a C&C server on the Internet and an endpoint computer inside a local network
These facts allow us to attribute LoJax with high confidence to the Sednit group.”

The full list of Indicators of Compromise (IOCs) and samples was shared by ESET on GitHub.