Russian state-sponsored hackers appear to be using malware that can persist on Windows PCs even after the OS has been reinstalled.
Security firm ESET discovered the powerful malware, dubbed ‘Lojax’, infecting a victim’s computer and suspects the malicious code came from the hacking group known as Fancy Bear.
The attack targeted the computer’s UEFI, which stands for Unified Extensible Firmware Interface, and is used to boot up the system. By re-writing the UEFI, the malware can persist inside the computer’s flash memory, allowing it to survive operating system re-installs and hard disk replacements.
Getting rid of the malware means going in and over-writing the flash storage’s memory, “an operation not commonly done and certainly not by the typical user,” ESET said in a blog post.
ESET refrained from naming the owner of the infected computer, but the security firm said it has detected Fancy Bear using different components of Lojax on government organizations based in the Balkans and other Central and Eastern European countries.
According to ESET, Lojax is the first time a UEFI-based rootkit has ever been detected attacking a computer system in the real world. Before this, experts had mainly talked about UEFI rootkits as a theoretical attack, although there was evidence that private security firms were selling the hacking tools to government customers.
“It serves as a heads-up, especially to all those who might be in the crosshairs of (Fancy Bear),” ESET said. The hacking group, also known as Sednit, has been blamed for a barrage of attacks on government groups, including the breach of the Democratic National Committee’s computer networks during the 2016 presidential campaign. Earlier this year, US federal investigators charged 12 Russian military officers for the DNC hack.
ESET said Lojax’s behavior mimics a legitimate software tool called LoJack, an anti-theft product that’s also hard to remove from a PC. “Since this software’s intent is to protect a system from theft, it is important that it resists OS re-installation or hard drive replacement. Thus, it is implemented as a UEFI/BIOS module, able to survive such events,” ESET said.
Fancy Bear appears to have weaponized the LoJack anti-theft product to both help the group attack computers and bypass security software. ESET noted that many antivirus vendors will allow LoJack to run on a PC, assuming the system processes are safe.
It isn’t clear how Fancy Bear delivered the malware, but it can be used to download other malicious software modules to the infected computer. “As LoJax’s best quality is to be stealthy and persistent, it could definitely be used to help ensure that access to key resources is maintained,” ESET said in a separate report.
The security firm suspects Lojax was developed by Fancy Bear partly based on the command and control servers with which the malware was communicating. Domains for those servers were previously used to host other Fancy Bear-developed hacking tools.
The good news is that you can block the Lojax attack through a PC industry feature called Secure Boot, which will check to see that all your PC parts, including the firmware, are authenticated with a valid code-signing certificate from the manufacturers. The Lojax malware will fail to pass this check. Secure Boot is usually activated by default in Windows 10. To toggle it on or off, you’ll likely have to restart your PC, and go into the BIOS to access the feature.
ESET also recommends PC owners keep the firmware on their motherboard updated to prevent hackers from exploiting vulnerabilities in the code.