Researchers at cybersecurity company ESET have found a malware campaign that compromises device’s firmware component. The campaign is believed to be supported and spread by Kremlin-backed group Fancy Bear.
According to the report, the malware is dubbed LoJax, and is capable enough to “serve as a key to the whole computer” by infecting the Unified Extensible Firmware Interface (UEFI) of a device. It is very hard to detect, and can also survive the operating system (OS) reinstallations.
“The way that LoJax accesses both the UEFI and LoJack is by using binary files that, from the operating system, compile information about its hardware,” Panda Security researchers said in a blog.
“LoJax isn’t dangerous simply because of the infection of the UEFI itself, but also due to the fact that many cybersecurity solutions, including corporate cybersecurity solutions that are present in many companies, completely overlook Computrace LoJack and the UEFI software, as the classify it to be safe.”
LoJack is an anti-theft software, which is most commonly known for its cyber attack on the Democratic National Committee in 2016, as well as several other attacks on European organizations.
“Although we were aware in theory that UEFI rootkits existed, our discovery confirms that they are used by an active advanced persistent threat group,” said ESET researcher Jean-Ian Boutin, in a press release.
“These attacks targeting the UEFI are a real threat, and anyone in the crosshairs of Sednit [Fancy Bear] should be watching their networks and devices very closely.”