Lojax, the new threat developed by Fancy Bear

Share this…

Relevant information on the most recent threat of this dangerous hacking group

Recently, the findings of digital forensics specialists have been published on a new cyberattack campaign launched by the renowned group of malicious hackers called Sednit (also known as Fancy Bear). The investigation has concluded that this is the first malware that successfully infects the firmware component in a device called UEFI (formerly known as BIOS), a central and critical component for the operation of a computer.

Nicknamed “LoJax” by digital forensics experts who discovered it, this malware is the first UEFI rootkit found in a real environment capable of persist in the victims’ computers. Here are some relevant points about this threat:

  • It has been called LoJax because it uses some components of LoJack
  • LoJack is an anti-theft software installed on some computers that allows the user to track the computer’s location. LoJack was created to work even if the user reinstalls Windows or change their hard drive
  • It is highly probable that LoJax malware has been developed by the hacker group Sednit (Fancy Bear)

What is UEFI?

Any computer uses one of two types of firmware: UEFI (the latest) or BIOS (the older version). This is the black screen that appears before the operating system screen (either Windows, macOS, Linux) and helps to tell a computer how to boot and access other hardware (such as hard drive, DVD drive,) and is hosted within the so-called SPI Flash Memory.

According to specialists in digital forensics from the International Institute of Cyber Security, The fact that LoJax infects UEFI means that the infection can not only persist after a reinstallation of the operating system, but it can also survive a hard drive replacement.

An infection in the UEFI means the attacker has total control over the device. Besides the compromised team is under the control of the hacker, the hacker can compromise other computers on the network. This means that any information from the computer or network to which it is connected can be subtracted or hijacked for hacker’s use.

A first protection measure against LoJax is to update your UEFI/BIOS firmware, if possible directly with the vendor, even so, many manufacturers may not release patches for firmware updating. You can also try to “reflash” the SPI memory, although this can be a complex and delicate process, plus it varies for each motherboard. You can consult with the manufacturer about the possibilities of successfully performing this operation on your device. Finally, you can replace the computer’s motherboard. Since this component is practically the heart of our devices, it may be better to get a new piece than replace the computer completely.