LoJax

Malware updated 2 months ago (2024-09-13T19:17:44.531Z)

Download STIX

Preview STIX

LoJax is a unique and sophisticated piece of malware that targets the Unified Extensible Firmware Interface (UEFI) of a computer. First detected in 2018, LoJax was attributed to the Sednit group, also known as Fancy Bear, and it represented a significant leap in malware technology by being the first rootkit to directly attack the UEFI. The malware acts like a rootkit, gaining access to a computer or network's administrative levels while remaining hidden, and has the capability to survive an operating system reinstall, making it particularly resilient and difficult to remove. The mechanism through which LoJax operates involves exploiting a vulnerability in Computrace LoJack, a software that comes preinstalled on many computers' UEFI. It accesses both the UEFI and LoJack using binary files that compile information about the hardware from the operating system. This process allows the malware to persist even after OS reinstalls and hard drive replacements, especially on devices without state-of-the-art protection. Notably, series 5 Intel chipsets, introduced in 2008, have been found to be immune to LoJax. The discovery and analysis of LoJax highlighted the need for organizations to implement cybersecurity measures beyond those aimed at protecting operating systems alone. Many corporate cybersecurity solutions overlook threats like LoJax because they classify pre-installed software like Computrace LoJack and the UEFI software as safe. Therefore, the danger of LoJax isn't solely due to its ability to infect the UEFI, but also stems from the fact that it often goes undetected by conventional security solutions.

Description last updated: 2024-09-13T19:15:46.863Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Rootkit

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Blacklotus Malware is associated with LoJax. BlackLotus is a harmful malware that targets the Unified Extensible Firmware Interface (UEFI) and Secure Boot systems, exploiting their vulnerabilities to gain persistent kernel access and privileges. It was first detected in 2022 when security researchers discovered a UEFI bootkit being sold on hac	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Sednit Threat Actor is associated with LoJax. Sednit, also known as APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, and BlueDelta, is a threat actor group associated with Russia’s military intelligence. This group has been active since at least 2007, targeting governments, militaries, and security organizations worldwide. Sedn	Unspecified	4

Source Document References

Information about the LoJax Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	Avoiding Hardware Supply Chain Threats
DARKReading	3 months ago	AMD Issues Updates for Silicon-Level 'SinkClose' Flaw
CERT-EU	9 months ago	LoJax: the malware that can survive operating systems being reinstalled
Unit42	9 months ago	Diving Into Glupteba's UEFI Bootkit
DARKReading	a year ago	Gigabyte Slams Backdoor Shut With Attack-Killing BIOS Update
CSO Online	a year ago	Gigabyte firmware component can be abused as a backdoor
MITRE	2 years ago	A journey to Zebrocy land \| WeLiveSecurity