UEFI rootkits are considered extremely dangerous tools, as they are difficult to detect, but also because they can "survive" drastic security measures, such as reinstalling the operating system or even replacing the hard drive. disk.
Some UEFI rootkits have been presented as PoCs at security conferences, and perhaps some of them are available to government agencies. However, no UEFI rootkit release has been detected to date. However, ESET reportedly discovered a campaign from the team Sednit APT which uses successfully UEFI rootkits.
The discovery of the first UEFI rootkits is remarkable because it shows that malware is a real threat and is not just an attractive subject of a conference.
ESET's analysis of the Sednit campaign using the UEFI rootkit was presented on September 27 at congress Microsoft BlueHat 2018 and is detailed in the white paper: “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group”.
H om;ada Sednit has been operating since at least 2004 and has carried out major attacks on high-profile targets in recent years. For example, the group reportedly carried out the attack on Ministry Justice of the USA before the American elections of 2016. The group is also considered responsible for the attack on the global television network TV5Monde, and more.
The ESET survey found that this particular team managed to install a UEFI rootkit at least once in a flash SPI system. The method is highly invasive, as malware can survive both after reinstalling the operating system and after replacing the hard disk.
The Sednit team used several components of LoJax malware to hit governmental organizations in the Balkans, Central and Eastern Europe.
You can read the entire ESET analysis from the following link
https://www.welivesecurity.com
________________________
- Windows vs Linux you like does not like it
- Windows 10 October 2018 Update Installation and a first look