Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Unkillable LoJax Rootkit Campaign Remains Active
#1
Quote:Last May, researchers published a bombshell report documenting sophisticated malware attributed to the Russian government. The malware, dubbed "LoJax," creates a persistent backdoor that survives operating system reinstalls and hard drive replacements. On Wednesday, researchers published new findings that indicate the campaign remains active.

LoJax in May became the first known case of a real-world attack harnessing the power of the Unified Extensible Firmware Interface boot system found in virtually all modern Windows computers. As software that bridges a PC’s firmware and its operating system, UEFI is essentially a lightweight operating system in its own right. That makes it a handy place to hide rootkits because once there a rootkit will remain in place even after an OS is reinstalled or a hard drive is replaced. LoJax gets its name from LoJack, an anti-theft product from developer Absolute Software. The rootkit is a modified version of a 2008 release of LoJack (then called Computrace). The anti-theft software achieved persistence by burrowing into the UEFI of the computer it was protecting. The design ensured that even if a thief made major changes to a computer’s hardware or software, a LoJack “small agent” would remain intact and be able to contact Absolute Software servers.

LoJax repurposes the LoJack software and exploits a key shortcoming—the lack of any means for the Absolute Software server to authenticate itself to the software. LoJax uses most of the working functionality of the legitimate anti-theft tool—a feature that long made it hard for antivirus software to detect the malware. The trojan makes modifications that cause it to connect to servers believed to be operated by Fancy Bear, a hacking group that works under the direction of the Russian government. LoJax samples first came to light in the report Netscout (previously known as Arbor Networks) published in May 2018. In September, researchers from Eset documented LoJax samples and found at least one case in which the rootkit was successfully installed in the flash memory of a computer’s Serial Peripheral Interface. Now Netscout is back with new research that analyzes new samples. They reveal some never-before-seen control server domains, at least two of which remain active now.

https://arstechnica.com/information-tech...ns-active/
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  New UEFI rootkit Black Lotus offered for sale at $5,000 mrtrout 0 731 10-18-2022 , 01:00 AM
Last Post: mrtrout
  New Microsoft-signed rootkit Jeanjean 0 484 10-23-2021 , 11:34 AM
Last Post: Jeanjean
  Microsoft signed a malicious Netfilter rootkit G DATA Blog mrtrout 0 1,857 06-26-2021 , 02:50 AM
Last Post: mrtrout
  Babax stealer rebrands to Osno, installs rootkit mrtrout 0 1,070 11-06-2020 , 11:53 PM
Last Post: mrtrout
  Ransomware is evolving, but the key to preventing attacks remains the same Imran 0 837 09-22-2020 , 03:25 PM
Last Post: Imran

Forum Jump:


Users browsing this thread: 1 Guest(s)