UEFI rootkits are considered extremely dangerous tools, as they are difficult to detect, but also because they can "survive" from radical security measures, such as reinstalling the operating system or even replacing the hard drive.
Some UEFI rootkits have been presented as PoCs at security conferences, and some may be available to government agencies. However, to date no UEFI rootkit traffic has been detected. However, ESET has reportedly launched a campaign from the Sednit APT team that successfully uses UEFI rootkits.
The discovery of the first UEFI rootkits is remarkable because it shows that malware is a real threat and is not just an attractive subject of a conference.
ESET's analysis of the Sednit campaign using the UEFI rootkit was presented at 27 September at the Microsoft BlueHat 2018 conference and is described in detail in the white paper: “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group”.
H om? Ada Sednit works by at least 2004 and has been a major attack on high profile goals in recent years. For example, the group allegedly carried out the attack on the US Department of Justice before the 2016 US elections. The team is also held responsible for the attack on TV5Monde, and many more.
The ESET survey found that this particular team managed to install a UEFI rootkit at least once in a flash SPI system. The method is highly invasive, as malware can survive both after reinstalling the operating system and after replacing the hard disk.
The Sednit team used several components of LoJax malware to hit governmental organizations in the Balkans, Central and Eastern Europe.
You can read the entire ESET analysis from the following link