The UEFI Loefax rootkit can infect machines, survive a digital holocaust

Modern computers use what is called a Unified Extensible Firmware Interface (UEFI) to be operational. When you press the power button on your Mac or PC, UEFI begins to communicate with your computer hardware and operating system, whether MacOS, Windows, or Linux. However, in a terrifying turn of events, ESET researchers have discovered a malicious software, a rootkit, that infiltrates your UEFI and is almost impossible to get rid of, even detected.

Rootkits are malicious pieces of software that can infect a user's machine and access areas that are generally inaccessible, such as private user data or protected system files. Although the concept of rootkits taking advantage of the UEFI instrument is not new, this is the first time a sample is detected in nature.

The UEFI rootkit, named LoJax, takes advantage of legitimate software designed by the Canadian company Absolute Software. The security company offers an anti-theft solution for computers called LoJack, which can help victims locate their stolen property. One of the most outstanding features of LoJack is its ability to stay on a machine when reinstalling the operating system, and the now malicious variant of LoJax takes advantage of this feature.

LoJax has turned out to be the child of the group spying cyber and hacking Fancy Bear. Generally recognized as a product of the Russian military intelligence agency GRU, the group has been at the origin of numerous major attacks, including the German parliament, the White House, NATO, Democratic National Committee and the International Olympic Committee.

What makes a UEFI rootkit particularly dangerous compared to a standard rootkit is its ability to survive. LoJax can not only access restricted files on a user's machine, but can also support the digital equivalent of a complete holocaust. Because of the way the rootkit connects to a machine's SPI flash memory, the chip in which UEFI is stored, erasing your internal drive, or even replacing it completely, does not eliminate it.

The LoJax rootkit can only be removed from a system by reprogramming the SPI flash memory, a very tricky and complex operation, or by completely replacing the motherboard. Individuals can help protect against attacks by ensuring that Secure Boot is enabled on their machines. This prevents unauthorized firmware on your UEFI from starting your computer.