The Fancy Bear LoJax campaign reveals the first documented use of the UEFI rootkit in nature



[ad_1]

The researchers uncovered what appears to be the first case of a UEFI rootkit in nature, changing UEFI's exploitable operating concept from a conference topic to reality.

The UEFI rootkit has been found with a set of tools that can patch a victim's system firmware to install malware at this deep level, researchers said Thursday.

In at least one recorded case, the actors at the origin of the malicious program were able to write a malicious UEFI module into the SPI flash memory of a system, causing the deletion and the l '. Malicious code execution on the disk at startup.

Not only these methods avoid the reinstallation of the operating system, but also the replacement of the hard disk. The only way to remove these malware – assuming victims know that they have been compromised in the first place – is to flash the firmware, a process that is not often conducted by conventional users.

According to ESET, the observed rootkit installation is the first case of a UEFI rootkit registered as active in nature.

The rootkit is used by the Fancy Bear advanced persistent threat (APT) group, also known as Sednit, APT28, STRONTIUM, and Sofacy.

The APT has been in operation since at least 2004. Led by the Russian government, the computer hacking group has been associated with attacks on the US Democratic National Committee (DNC) before the US elections, the World Agency anti-doping (AMA). , the Association of Athletics Federations (IAAF), the German Government and the Ukrainian Army, among others.

Read more: Microsoft: we just screw up Russia's plans to attack the mid-term elections in the United States in 2018

In a study presented Thursday at the Microsoft BlueHat conference in 2018, ESET researchers said the APT, which has used various sophisticated malware and intrusions in the past, is also using LoJax malware to target government organizations in the past. Europe.

In May, research conducted and published by Arbor Networks suggested that the APT was using LoJack from Absolute Software, a legitimate laptop recovery solution, for harmful means.

Samples of the LoJack software have been tampered with to ensure that hard-coded configuration parameters, small rpcnetp.exe agent, communicate with a Fancy Bear-controlled Command and Control (C2) server rather than the Absolute Software Server legitimate.

See also: UK publishes first GDPR notice in connection with Facebook data scandal

When used for legitimate purposes, the software returns to a server to alert the owner of a device in case of loss or theft. The owner is then able to lock the system and delete files remotely.

"LoJack is an excellent double agent due to its legitimate software appearance while allowing remote code execution," Arbor said.

The modified version has been named LoJax to separate it from the legitimate solution of Absolute Software but is still implemented in the same way – as a UEFI / BIOS module, in order to withstand operating system shutdowns or replacing the hard drive.

As a follow-up to this work, ESET stated that the malicious UEFI module is now integrated into operating kits that can access and correct the UEFI / BIOS settings.

These tools use a kernel driver, RwDrv.sys, which comes with the RWEverything utility to read information about a PC's settings, such as PCI memory or ROMs.

CNET: This malware will steal your Twitter and Facebook accounts

"Because this kernel driver belongs to legitimate software, it is signed with a valid code signing certificate," note the researchers.

In addition to the malware, three other tools were found in the updated Fancy Bear Kit. One of them is a tool for transferring information about PC settings into a text file. another purpose is to save a system firmware image by reading the contents of the SPI flash memory where the UEFI / BIOS is located; and the last tool adds the malicious UEFI module to the firmware image in order to rewrite it into SPI flash memory.

According to the researchers, this "effectively installs the UEFI rootkit on the system".

This particular tool will fix the existing firmware to allow a direct installation of the rootkit if the platform allows write operations on the SPI flash memory or, if protections are in place, will try to use a known vulnerability. to carry out his task.

TechRepublic: Evrial Trojan Can Steal What's Saved on Your Windows Clipboard, Including Bitcoins

However, it should be noted that the exploited vulnerability affects only older chipsets that do not contain the Platform Controller Hub, introduced with the Intel Series 5 chipsets in 2008.

The use of a UEFI rootkit is sufficient in itself for companies to become aware of it. However, because the rootkit is not properly signed, the target systems on which the Windows Secure Boot feature is enabled allow that the signed firmware loading and, therefore, the exploit is avoid.

"We strongly suggest that you activate it," says ESET. "This is the basic defense against attacks targeting UEFI firmware that can be enabled at boot time through the UEFI settings of your system.

A number of Lojax C2 servers for small agents have already been associated with SedUploader, a backdoor often used by Fancy Bear operators in the early stages of compromise. The use of the LoJax campaign by XAgent, APT's flagship backdoor, and Xtunnel, a network proxy tool, reinforces the belief that the new campaign is attributable to the Fancy Bear hacking group.

The researchers claim that the use of a UEFI rootkit has increased the severity of the hacking group and is "full-fledged".

"The LoJax campaign shows that high-value targets are prime candidates for deploying rare or even unique threats, and that these targets must always be on the lookout for compromises," ESET added.

Previous and related coverage

[ad_2]
Source link