ESET Scientists reveal Fancy Bear’s first documented use of UEFI rootkit targeting European governments

ESET researchers stated that they have found evidence that ‘Fancy Bear’ (Russia-backed hackers group) is using ‘LoJax’ malware to target certain government organizations in Europe. This research was presented on Thursday at the 2018 Microsoft BlueHat conference.

This is the first case of a UEFI rootkit recorded as ‘active’ and still in use. The researchers have not explicitly named the governments that have been targeted. They have only stated that the hackers were active in targeting the Balkans and some central and eastern European countries.

This attempt to target european governments is another one of Fancy Bears tactics after hacking into the Democratic National Committee. The hackers had previously targeted senators, social media sites, the French presidential elections, and leaked Olympic athletes’ confidential medical files, which demonstrates their hacking abilities.

The LoJax UEFI rootkit

LoJax is known for its brutal persistence in making it challenging to remove from a system. It embeds itself in the computer’s firmware and launches when the OS boots up. Sitting in a computer’s flash memory,  LoJax consumes time, effort and extreme care to reflash the memory with a new firmware.

In May 2018, Arbor Networks suggested that this Russian hacker group was utilizing Absolute Software’s ‘LoJack‘– a legitimate laptop recovery solution- for unscrupulous means.

Hackers tampered with the samples of the LoJack software and programmed it to communicate with a command-and-control (C2) server controlled by Fancy Bear, rather than the legitimate Absolute Software server. The modified version was named as LoJax to separate it from Absolute Software’s legitimate solution. LoJax is implemented as a UEFI/BIOS module, to resist operating system wipes or hard drive replacement.
This UEFI rootkit was found bundled together with a toolset that was able to patch a victim’s system firmware and install malware at the system’s deepest level. In at least one recorded case, the hackers behind the malware were able to write a malicious UEFI module into a system’s SPI flash memory leading to the execution of malicious code on disk during the boot process.

ESET further added that the malicious UEFI module is being bundled into exploit kits which are able to access and patch UEFI/BIOS settings. Alongside the malware, three other tools were found in Fancy Bear’s refreshed kit.

• A tool that dumps information related to PC settings into a text file
• A tool to save an image of the system firmware by reading the contents of the SPI flash memory where the UEFI/BIOS is located
• A tool that adds the malicious UEFI module to the firmware image to write it back to the SPI flash memory.

The researchers affirm that the UEFI rootkit has increased the severity of the hacking group. However, there are preventative measures to safeguard your system against this notorious group of hackers. The Fancy Bear’s rootkit isn’t properly signed and hence a computer’s Secure Boot feature could prevent the attack by properly verifying every component in the boot process. This can be switched on at a computer’s pre-boot settings.
For more insights on this news, head over to ZDNet.

Read Next

Microsoft claims it halted Russian spearphishing cyberattacks

Russian censorship board threatens to block search giant Yandex due to pirated content

UN meetings ended with US & Russia avoiding formal talks to ban AI enabled killer robots