[ad_1]
The hackers sponsored by the Russian state seem to use malware that can persist on Windows PCs even after reinstalling the operating system.
The security firm ESET discovered the powerful malicious program, dubbed Lojax, infecting a victim's computer and suspects that the malicious code came from the hacking group known as Fancy Bear.
The attack targeted the UEFI of the computer, which means unified interface Extensible Firmware, and is used to boot the system. By rewriting the UEFI, malicious software can persist in the computer's flash memory, allowing it to survive operating system reinstallations and hard disk replacements.
Getting rid of malware means entering and overwriting flash storage memory, "an uncommon operation and certainly not by the typical user," said ESET in a blog post.
ESET has refrained from naming the owner of the infected computer, but the security company said it detected Fancy Bear by using different components of Lojax on Balkan-based government organizations and others. countries of Central and Eastern Europe.
According to ESET, Lojax is the first time that a UEFI-based rootkit has been detected, attacking a computer system in the real world. Previously, experts had mainly referred to UEFI rootkits as a theoretical attack, even though it was proven that private security companies were selling hacking tools to government clients.
"This serves as heads-up, especially to anyone who might be in the line of sight of (Fancy Bear)," said ESET. The hacker group, also known as Sednit, has been accused of launching attacks on government groups, including the violation of the Democratic National Committee's computer networks during the 2016 presidential campaign. Earlier this year , US federal investigators have accused 12 Russian military officers for pirating the DNC.
ESET said that Lojax's behavior mimics a legitimate software tool called LoJack, an anti-theft product that is also difficult to remove from a PC. "The intention of this software is to protect a system against theft, so it is important that it resists the reinstallation of the operating system or the replacement of the hard drive, so it is implemented as a UEFI / BIOS module capable of surviving such events ".
Fancy Bear appears to have armed the LoJack anti-theft product to help the group attack computers and bypass security software. ESET noted that many antivirus vendors would allow LoJack to run on a PC, assuming the system processes are safe.
The way Fancy Bear provided the malware is not clear, but it can be used to download other malware modules on the infected computer. "The better quality of LoJax being to be stealthy and persistent, it could certainly be used to ensure that access to key resources is maintained," said ESET in a separate report.
The security firm suspects that Lojax was developed by Fancy Bear partly on the basis of the command and control servers with which the malware was communicating. Domains for these servers were previously used to host other hacking tools developed by Fancy Bear.
The good news is that you can block the Lojax attack via a PC feature called Secure Boot, which will verify that all parts of your PC, including the firmware, are authenticated by a valid code signing certificate from the manufacturers. Lojax malware will fail this check. Secure Boot is usually enabled by default. To enable or disable it, you will probably have to restart your computer and access the BIOS to access the feature.
ESET also recommends that PC owners update the firmware on their motherboard to prevent hackers from exploiting code vulnerabilities.
Source link