LoJax is a rootkit that facilitates backdoor attacks against an infected PC. This modular threat includes multiple components that abuse non-threatening software partially or wholly, in addition to dedicated, corrupted tools, as well as sophisticated anti-security, persistence, and installation features. Because its attacks subvert more than just the hard drive, the users require additional procedures for resetting the infected firmware, in addition to removing LoJax and related threats through more typical anti-malware solutions.
Absolute Software Gets Their Product Hijacked
The group of threat actors noted for a series of backdoor-oriented threats by the same name, Sednit, along with being the possible entity behind the 2016 Democratic National Committee hackings, is releasing and circulating a new rootkit. LoJax isn't significant for its motivations or core payload, which operate with similar goals in mind to other rootkits. However, it does have one, vital claim to fame: being the first in-the-wild rootkit that takes over the UEFI.
The UEFI, or Unified Extensible Firmware Interface, is an update of the BIOS and handles the connecting of firmware to the operating system. Although it's public knowledge that various governments have access to a UEFI-compromising software, LoJax is unique for being the first for a threat actor using such a program out in the wild. Malware analysts are confirming that LoJax owes the majority of its capabilities to a component that consists of a harmfully-modified version of the Absolute Software's LoJack, a laptop theft recovery program that inserts an installer agent into the Windows OS during system startup.
LoJax, then, establishes a C&C server connection and conducts activities for harvesting system information and installing other threats, which typically, are backdoor Trojans or compromised network proxies like XTunnel. Its active installation exploits require further investigation, but LoJax's authors are using a multi-stage infection process that adapts to the platform that's under attack. It even switches to outdated security exploits, such as a BIOS write protection bypass, whenever other installation options are impossible.
How a Threat Maintains Its Hard-Won Connection at Any Cost
LoJack is an extremely system-persistent utility, and LoJax borrows that strength of design for the more threatening purpose of maintaining its C&C connection. Because LoJax compromises SPI flash memory, standard disinfection of the hard drive, or even the wholesale replacement of it, is inadequate for uninstalling the threat. Users have limited options available: flashing the UEFI settings back to their factory standards or swapping out the motherboard. Neither of these procedures is convenient for the average typically, non-technically-inclined PC owner.
However, different preventative steps can help keep LoJax from compromising a computer in the first place. Some of its installation options require unpatched exploits, which malware experts suggest avoiding by keeping your UEFI updated to the latest version. Systems with pre-Intel Series 5 chipsets also are at risk of infection. Lastly, at least one of LoJax's core components is missing a digital signature, and using the Secure Boot feature can block the installation of that portion of the rootkit. Conclusive anti-malware scans, still, should be part of any solution for removing LoJax, due to the chance of contamination with additional, backdoor Trojans that also will need removing.
Sednit may be making history with LoJax, but this innovative rootkit isn't after anything that other rootkits haven't accomplished before it, by less extraordinary means. Inevitably, using outdated software makes for an environment that's vulnerable to attacks, and doing a little to keep this rootkit off of your PC is far simpler than recovering a motherboard that's running with someone else's choices of settings.