First UEFI malware discovered in wild is laptop security software hijacked by Russians
ESET Research has published a paper detailing the discovery of a malware campaign that used repurposed commercial software to create a backdoor in computers’ firmware—a “rootkit," active since at least early 2017 and capable of surviving the re-installation of the Windows operating system or even hard drive replacement. While the malware had been spotted previously, ESET’s research is the first to show that it was actively attacking the firmware of computers to establish a tenacious foothold.
Dubbed “LoJax,” the malware is the first case of an attack leveraging the Unified Extensible Firmware Interface (UEFI) boot system being used in an attack by an adversary. And based on the way the malware was spread, it is highly likely that it was authored by the Sednit/Fancy Bear/APT 28 threat group—the Russian state-sponsored operation tied by US intelligence and law enforcement to the cyber-attack on the Democratic National Committee.
There have been a number of security concerns about UEFI’s potential as a hiding place for rootkits and other malware, including those raised by Dick Wilkins and Jim Mortensen of firmware developer Phoenix Technologies in a presentation at UEFI Plugfest last year. “Firmware is software and is therefore vulnerable to the same threats that typically target software,” they explained. UEFI is essentially a lightweight operating system in its own right, making it a handy place to put rootkits for those who can manage it.