Security experts at ESET have announced the discovery of the very first case of Unified Extensible Firmware Interface (UEFI) rootkit in the wild referred to as LoJax. This malware was used by advanced persistent threat (APT) group Sednit, also known as APT28, STRONTIUM, Sofacy, and Fancy Bear, to attack the governments in the Balkans and Central and Eastern Europe.
The security researchers said they found the UEFI rootkit bundled with tools that can patch a victim's system firmware so that the malware is installed deep in the system targeted by LoJax. ESET claimed that the rootkit was successfully used once in writing a malicious UEFI module into a system’s SPI flash memory, with the module capable of executing malware on disk during the boot process.
The researchers noted the invasive nature of this persistence method as it can survive any attempt to re-install the operating system or replace a hard disk. Re-flashing may be done to clean a system’s UEFI firmware, but it's not something that can be easily performed by everyone, ESET explained.
Thankfully, ESET pointed out that the UEFI rootkit is not properly signed, which means any form of attack using that malware can be circumvented through the Secure Boot mechanism. ESET recommends enabling Secure Boot so that each component loaded by the firmware must be signed properly.
Sednit has been involved in several high-profile attacks across the globe including the hacking of the Democratic National Committee (DNC) before the U.S. 2016 elections. The group is believed to be sponsored by the Russian government and was recently caught spoofing conservative groups in the U.S.