Fancy Bear Uses LoJax UEFI Rootkit in Highly Targeted Attacks

Delaware, USA – September 28, 2018 — In May, Arbor Networks discovered modified LoJack applications that communicated with command & control servers used by Fancy Bear in previous campaigns. Yesterday at the Microsoft BlueHat conference, researchers from ESET presented a report about LoJax UEFI rootkit developed by the APT group. This first detected malware of this kind was used in attacks on government organizations in Europe, and at least in one case it successfully infected a system. To install LoJax, Fancy Bear group uses several tools, which use a kernel driver signed with a valid code-signing certificate to access the UEFI / BIOS settings. The first tool collects and saves low-level system settings information. The second creates an image of the system firmware, and the third one adds LoJax to the image and overwrites the SPI flash memory. The primary purpose of the rootkit is to ensure persistence on the victim’s computer and drop malware from cybercriminals’ arsenal every time the system is booted. LoJax allows Fancy Bear to infect computer again and again not only after Windows reinstall but even after replacing the hard drive.

Attackers used different components of the malware in each of highly targeted attacks. Detecting and removing LoJax is difficult, but the malware it drops can be detected using the methods of statistical profiling and behavioral analysis. APT Framework SIEM rule pack allows to monitor the infrastructure using the methodology of the Lockheed Martin Cyber ​​Kill Chain and detect traces of sophisticated attacks: