Jump to content

First-Ever UEFI Rootkit Tied to Sednit APT


The AchieVer

Recommended Posts

Fr%C3%A9d%C3%A9ric-Vachon.jpg
fd862bb16bd9638c650113a83d17452f?s=60&d=

Researcher at ESET outlines research on the first successful UEFI rootkit used in the wild.

 

LEIPZIG, GERMANY – Researchers hunting cyber-espionage group Sednit (an APT also known as SofacyFancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks.

 

The discussion of Sednit was part of the 35C3 conference, and a session given by Frédéric Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall (PDF). During his session, Vachon said that finding a rootkit targeting a system’s UEFI is significant, given that rootkit malware programs can survive on the motherboard’s flash memory, giving it both persistence and stealth.

“UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level,” he said.

 

The rootkit is named LoJax. The name is a nod to the underlying code, which is a modified version of Absolute Software’s LoJack recovery software for laptops. The purpose of the legitimate LoJack software is to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system’s UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.

 

Each time the system restarts, the code executes on boot, before the OS loads and before the system’s antivirus software is launched. That means that even if the device’s hard drive is replaced, the LoJack software will still operate.

 

According to Vachon, the bad guys are making good use of this with LoJax. This weaponized, customized version of Absolute Software’s wares dates back to a vulnerable 2009 version, which had several key bugs, chief among them a configuration module that was poorly secured with weak encryption.

 

“This vulnerability allowed Sednit to customize a single byte that contains the domain information for the legitimate software to connect to in order to download the recovery software,” he said. In the case of LoJax, the single byte contained Sednit command-and-control domains that ultimately delivered the rootkit payload.

 

The infection chain is typical: An attack begins with a phishing email or equivalent, successfully tricking a victim into downloading and executing a small rpcnetp.exe dropper agent. The rpcnetp.exe installs and reaches out to the system’s Internet Explorer browser, which is used to communicate with the configured domains.

 

“Once I have a foothold on the machine I can use this tool to deploy the UEFI rootkit,” Vachon explained, adding that the hacker tool takes advantage firmware vendors allowing remote flashing. “UEFI rootkit is located in the BIOS region of the serial peripheral interface (SPI) flash memory,” he said.

 

Once the UEFI rootkit is installed, there’s not much a user can do to remove it besides re-flashing the SPI memory or throwing out the motherboard, Vachon said.

 

In May, Arbor Networks spotted LoJack being reused by Sednit agents to develop LoJax. But it wasn’t until September that Sednit began to use it in live campaigns, observed by ESET. These are targeting mostly government entities located in the Balkans, as well as Central and Eastern Europe.

 

ESET said it identified a customer who had been infected by the rogue version of the LoJax. And last month, the Pentagon made a good-faith gesture to be more open and started uploading malware samples from APTs and other nation-state sources to the website VirusTotal. The first two samples were rpcnetp.dll and rpcnetp.exe, which are both detected as dropper mechanisms for the UEFI rootkit.

 

By enabling Secure Boot, and making sure their UEFI firmware is up to date, end users can protect themselves against attack, Vachon said.

 

source

Link to comment
Share on other sites


  • Replies 2
  • Views 764
  • Created
  • Last Reply
3 hours ago, The AchieVer said:

The infection chain is typical: An attack begins with a phishing email or equivalent, successfully tricking a victim into downloading and executing a small rpcnetp.exe dropper agent.

 

This is exactly the same thing problem I commented on concerning hacking of banks and other organizations that allow links and attachments in emails coming from sources outside their systems.  The fix is so easy, strip links and attachments from all outside email, that it should be built in to all email servers.  For at least the last 20 years, IT security personnel have tried to train users not to click on links or open attachments and that failed miserably.  The only working solution is to take it out of the users hands.  There are even more  secure ways that email can be dealt with that would keep an organizations network secure but require more resources in both equipment and manpower.

Link to comment
Share on other sites


4 minutes ago, straycat19 said:

 For at least the last 20 years, IT security personnel have tried to train users not to click on links or open attachments and that failed miserably.  The only working solution is to take it out of the users hands.  There are even more  secure ways that email can be dealt with that would keep an organizations network secure but require more resources in both equipment and manpower.

It’s almost impossible to keep a hook on each and every user, no matter what ever the IT department tries.

 

More secure ways demands more capital infusion......

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...