Researchers find uefi rootkit being actively exploited

Researchers from security firm ESET have found a uefi rootkit. The malware remains in the firmware even after a fresh installation of the operating system or a change of the hard drive. The rootkit is misused in the wild.

According to ESET, there have been previous reports of the existence of uefi rootkits, such as in a Vault7 release from WikiLeaks and via a leaked document from Hacking Team, but such a rootkit has never been found on an actually infected computer. According to the ESET telemetry, the malware was hardly used and has been deployed against government agencies in the Balkans and Central and Eastern Europe. Furthermore, there are said to be indications that led to use by Sednit, the group also called APT28, Sofacy, Strontium and Fancy Bear, and which is associated with the Russian espionage service.

ESET’s investigation began with a version of LoJack or Computrace that contained a trojan. LoJack is anti-theft software from the company Absolute Software, which stood out for its use of a uefi module, which prevented a thief from bypassing the software by reinstalling the OS. However, the malware version, which ESET calls LoJax, connected to an unknown command & control server instead of Absolute Software’s.

However, the malware also turned out to contain code to extract a uefi image, modify it and write the trojan version to the spi memory. Although this feature of the uefi rootkit targets certain firmwares, ESET calls it a powerful tool for attackers due to its persistence, difficult detection and the fact that re-flash is not an everyday activity for the average user.

Boot process of a system infected by uefi-rootkit