Fancy Bear hackers’ malware LoJax can survive operating system reinstallations

• LoJax is the creation of the Russian Kremlin-backed hacker group Fancy Bear.
• The malware is the only one of its kind that is capable of attacking UEFI firmware.

LoJax is a recently discovered malware that is believed to be the creation of the Kremlin-backed hacker group Fancy Bear. The malware is believed to be capable of surviving even operating system (OS) reinstallations, indicating that it is likely highly persistent.

Fancy Bear has been active since at least 2004 and is believed to be one of the most prolific cyberespionage groups operating in the wild. However, its most notable attack is likely the one against the US Democratic National Committee (DNC) during the 2016 US presidential election.

UEFI rootkit

LoJax is also the first rootkit believed to be capable of directly attacking the Unified Extensible Firmware Interface (UEFI), which is soon expected to replace BIOS. UEFI is a component found in the motherboard and is the primary key of every system. UEFI controls the operations of the computer's circuits and does not rely on OS to function.

According to security researchers at Panda security, LoJax exploits a vulnerability in Computrace LoJack - an anti-theft software that comes preinstalled on most computers’ UEFI. Computrace LoJack is capable of sending a system’s location data and deleting data.

“The way that LoJax accesses both the UEFI and LoJack is by using binary files that, from the operating system, compile information about its hardware,” Panda Security researchers said in a blog. “LoJax isn’t dangerous simply because of the infection of the UEFI itself, but also due to the fact that many cybersecurity solutions, including corporate cybersecurity solutions that are present in many companies, completely overlook Computrace LoJack and the UEFI software, as the classify it to be safe.”

According to security researchers at Trend Micro, LoJax is designed to deliver malware onto a targeted system and ensure that it begins operating when the computer starts up. In the event that an infection is successful, hackers could use the malware to continually and remotely access the infected system, as well as install and execute additional malware.

How to stay safe?

Fortunately, there are a few security measures one can employ to stay safe from this Fancy Bear malware. UEFI’s secure boot, when activated, requires payloads to be signed properly. Since LoJax is not properly signed, when secure boot is activated, it renders the malware incapable of functioning successfully.

“Organizations should also follow security best practices: Keep the endpoints and firmware patched and up to date; apply the principle of least privilege; and enforce defense in depth through security mechanisms that can thwart threats — from endpoints, networks, servers, and gateways,” Trend Micro researchers said.