APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild


APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild (Sep 27, 2018)

ESET researchers have identified that the Russian Advanced Persistent Threat group “APT28” has added a new malicious tool to their arsenal, a rootkit dubbed “LoJax.” The rootkit targets a machine’s Unified Extensible Firmware Interface (UEFI), which is used by software to connect a machine’s firmware to its operating system and is the first program that runs upon booting a machine. LoJax is the first malware observed to target UEFI specifically, and its objective is to drop malware onto a Windows operating system at startup. At the time of this writing, LoJax is primarily targeting government entities in the Balkans, and Central and Eastern Europe. Furthermore, no distribution has yet been reported.

Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.