Hackers appear to be using malware that can persist on Windows PCs even after the OS has been reinstalled.
Security firm for antivirus ESET discovered the powerful malware, dubbed Lojax malware, infecting a victim’s computer and suspects the malicious code came from the hacking group known as Fancy Bear.
The attack targeted the computer’s UEFI, which stands for Unified Extensible Firmware Interface, and is used to boot up the system. By re-writing the UEFI, the malware can persist inside the computer’s flash memory, allowing it to survive operating system reinstalls and hard disk replacements.
Getting rid of the malware means going in and over-writing the flash storage’s memory, “an operation not commonly done and certainly not by the typical user,” ESET said in a blog post.
ESET naming the malware
ESET refrained from naming the owner of the infected computer, but the security firm said it has detected Fancy Bear using different components of Lojax on government organizations based in the Balkans and other Central and Eastern European countries.
According to ESET, Lojax is the first time a UEFI-based rootkit has ever been detected attacking a computer system in the real world. Before this, experts had mainly talked about UEFI rootkits as a theoretical attack, although there was evidence that private security firms were selling the hacking tools to government customers.
“It serves as a heads-up, especially to all those who might be in the crosshairs of (Fancy Bear),” ESET said.
ESET said Lojax’s behavior mimics a legitimate software tool called LoJack, an anti-theft product that’s also hard to remove from a PC. “Since this software’s intent is to protect a system from theft, it is important that it resists OS re-installation or hard drive replacement. Thus, it is implemented as a UEFI/BIOS module, able to survive such events,” ESET said.
Fancy Bear appears to have weaponized the LoJack anti-theft product to both help the group attack computers and bypass security software. ESET noted that many antivirus vendors will allow LoJack to run on a PC, assuming the system processes are safe.
It isn’t clear how Fancy Bear delivered the malware, but it can be used to download other malicious software modules to the infected computer. “As LoJax’s best quality is to be stealthy and persistent, it could definitely be used to help ensure that access to key resources is maintained,” ESET said in a separate report.
The security firm suspects Lojax was developed by Fancy Bear partly based on the command and control servers with which the malware was communicating. Domains for those servers were previously used to host other Fancy Bear-developed hacking tools.
The good news is that you can block the Lojax attack through a PC industry feature called Secure Boot, which will check to see that all your PC parts, including the firmware, are authenticated with a valid code-signing certificate from the manufacturers. The Lojax malware will fail to pass this check. Secure Boot is usually activated by default in Windows 10. To toggle it on or off, you’ll likely have to restart your PC, and go into the BIOS to access the feature.
ESET also recommends PC owners keep the firmware on their motherboard updated to prevent hackers from exploiting vulnerabilities in the code.
Chipin IT security solutions for your business
- Real Time Threat Monitoring (RTTM)
Our Real Time Threat Monitoring Services (RTTM) keeps a check on your equipment, so it can provide you with better visibility of your organizations cyber risk. The Managed IT Security Services offers comprehensive daily, weekly and monthly logs for you to make quick and effective decisions of how to improve your network security
- Patch Management
Missing security patches and updates are one of the leading causes attacks. Our patch management services scans all connected endpoints to give you a list of issues. After this our experts perform an update to your systems to keep you protected.
- Managed End Point
Our team of IT Security experts monitor end point antivirus and malware solutions installed on all your devices through a central cloud portal and take corrective action when a warning goes off.
- Managed Firewall
We offer managed firewall as a service in which we manage firewall operation, administration, monitoring, and maintenance of firewalls. We assist in establishing, maintaining and modifying firewall rules to ensure network performance and security
Check out our latest tips and solutions Chipin