Security firm ESET discovered the powerful malware, dubbed Lojax, infecting a victim's computer and suspects the malicious code came from the hacking group known as Fancy Bear.The attack targeted the computer's UEFI, which stands for Unified Extensible Firmware Interface, and is used to boot up the system. By re-writing the UEFI, the malware can persist inside the computer's flash memory, allowing it to survive operating system reinstalls and hard disk replacements.
Getting rid of the malware means going in and over-writing
the flash storage's memory, "an operation not commonly done and certainly
not by the typical user," ESET said in a blog post. ESET refrained from
naming the owner of the infected computer, but the security firm said it has
detected Fancy Bear using different components of Lojax on government
organizations based in the Balkans and other Central and Eastern European
countries.
According to ESET, Lojax is the first time a UEFI-based
rootkit has ever been detected attacking a computer system in the real world.
Before this, experts had mainly talked about UEFI rootkits as a theoretical
attack, although there was evidence that private security firms were selling
the hacking tools to government customers. ESET said Lojax's behavior mimics a
legitimate software tool called LoJack, an anti-theft product that's also hard
to remove from a PC. "Since this software's intent is to protect a system
from theft, it is important that it resists OS re-installation or hard drive
replacement. Thus, it is implemented as a UEFI/BIOS module, able to survive
such events," ESET said.
Fancy Bear appears to have weapon zed the LoJack anti-theft
product to both help the group attack computers and bypass security software.
ESET noted that many antivirus vendors will allow LoJack to run on a PC,
assuming the system processes are safe.
The APT has been in operation since at least 2004. Allegedly
directed by the Russian government, the hacking group has been connected to
attacks against the US Democratic National Committee (DNC) ahead
of the US elections, the World Anti-Doping Agency (WADA), the Association of Athletics Federations (IAAF), the German government, and the Ukrainian military, among others.
It isn't clear how Fancy Bear delivered the malware, but it
can be used to download other malicious software modules to the infected
computer. "As LoJax's best quality is to be stealthy and persistent, it
could definitely be used to help ensure that access to key resources is
maintained," ESET said in a separate report.
Sources page: PCmag