UEFI rootkits are considered extremely dangerous tools, as they are difficult to detect, but also because they can "survive" radical security measures, such as resettinginstallation of the operating system or even from replacing the hard drive.
Some UEFI rootkits have been presented as PoCs at security conferences, and perhaps some of them are available to government agencies. However, no UEFI release has been detected to date rootkit. But ESET has reportedly discovered a campaign from the Sednit APT group that uses successfully UEFI rootkits.
The discovery of the first UEFI rootkits is notable because it shows that malware is a real threat and is not just an attractive conference topic.
ESET's analysis of the Sednit campaign using the UEFI rootkit was presented at 27 September at the Microsoft BlueHat 2018 conference and is described in detail in the white paper: “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group”.
H om? Ada Sednit works by at least 2004 and has been a major attack on high profile goals in recent years. For example, the group allegedly carried out the attack on the US Department of Justice before the 2016 US elections. The team is also held responsible for the attack on TV5Monde, and many more.
The ESET survey found that this particular team managed to install a UEFI rootkit at least once in a flash SPI system. The method is highly invasive, as malware can survive both after reinstalling the operating system and after replacing the hard disk.
The Sednit team used several components of LoJax malware to hit governmental organizations in the Balkans, Central and Eastern Europe.
You can read the entire ESET analysis from the following link
https://www.welivesecurity.com
________________________
- Windows vs Linux you like does not like it
- Windows 10 October 2018 Update Installation and a first look