What you need to know about “LoJax”—the new, stealthy malware from Fancy Bear

Next story

You may have seen in the news that ESET recently published findings on a new cyberattack campaign launched via the infamous hacking group Sednit (aka Fancy Bear, APT28, STRONTIUM, Sofacy, etc.).

This is the first malware observed to successfully infect the firmware component of a device called UEFI (which was formerly known as BIOS), a core and critical component of a computer.

Dubbed “LoJax” by ESET researchers, the malware is the first ever “in-the-wild UEFI rootkit” to establish a presence on victims’ computers. We know that “UEFI” and “BIOS” are technical terms, and explaining a piece of technical research and cyberattacks is not always easy, so below we break down everything you need to know to stay informed—and safe.

What is the name of this first ever "in-the-wild" UEFI malware?

  • ESET has named this malware "LoJax" because it maliciously uses a part of LoJack.
  • LoJack is an anti-theft software installed on some computers that allows the user to track the computer’s location. LoJack was created to work even if the user reinstalls Windows or swaps out the hard drive, as this is something a thief might do first to avoid detection.
  • LoJax malware is likely created by the Sednit group (aka Fancy Bear, APT28, STRONTIUM, and Sofacy).

What is UEFI (Unified Extensible Firmware Interface)?

  • All computers utilize one of two types of firmware: UEFI (newer) or BIOS (older).
  • This is the black screen that appears prior to the OS screen (Windows, macOS, Linux) that helps tell a computer how to boot and access other computer hardware (hard drive, DVD drive, etc.) and lives inside what is called SPI Flash Memory.

What does it mean to have malware infecting the UEFI?

  • It means the infection can not only survive an operating system reinstall, it can survive a hard drive being replaced.
  • An infection in the UEFI means the attacker who placed it has full control over the device. In addition to doing whatever the attacker wants to the current computer, the attacker can potentially compromise other computers on the network. That means any data (files, videos, webcam, microphone, etc.) on the computer or network it is connected to can be stolen or hijacked for the attacker’s own use.

How do you protect against this UEFI malware?

  • If you need assistance with the following issues, contact your computer manufacturer:
  • Ensure your computer has Secure Boot enabled. Because the LoJax malware is not properly signed, having Secure Boot enabled will keep it from loading and infecting your computer.
  • Update your UEFI/BIOS firmware from your computer manufacturer if possible; however, some manufacturers may not release newer versions or patches.

What do I do if I am infected with LoJax or another UEFI infection?

  • Attempt to reflash the SPI Flash Memory where the UEFI lives. This is a delicate and complex procedure and is different for every motherboard. Your computer manufacturer will be able to tell you if this is possible.
  • Replace the motherboard of the computer. As the motherboard is the heart and soul of a computer, it is typically easier and more cost effective to simply replace the computer.

Can ESET DETECT AND remove a UEFI infection?

  • ESET has a UEFI Scanner built into the latest version of its business and consumer products that can alert you if you are infected. (When you reboot your device, it will scan automatically and let you know if there is UEFI malware on the device. You can also manually initiate a scan by following the instructions here.)
  • Make sure you’re using the newest version of ESET products: V7 for business and V11 for home/consumer.
  • Since UEFI infections are very specific to the hardware firmware that they infect, ESET cannot remove a UEFI infection. However, detection is a critical and first piece to remediating an infection, so always make sure your ESET software is up to date, and pay attention to product alerts.

Learn more about ESET’s UEFI scanner and get your free trial here.