LoJax

Malware updated a month ago (2024-09-13T19:17:44.531Z)
Download STIX
Preview STIX
LoJax is a unique and sophisticated piece of malware that targets the Unified Extensible Firmware Interface (UEFI) of a computer. First detected in 2018, LoJax was attributed to the Sednit group, also known as Fancy Bear, and it represented a significant leap in malware technology by being the first rootkit to directly attack the UEFI. The malware acts like a rootkit, gaining access to a computer or network's administrative levels while remaining hidden, and has the capability to survive an operating system reinstall, making it particularly resilient and difficult to remove. The mechanism through which LoJax operates involves exploiting a vulnerability in Computrace LoJack, a software that comes preinstalled on many computers' UEFI. It accesses both the UEFI and LoJack using binary files that compile information about the hardware from the operating system. This process allows the malware to persist even after OS reinstalls and hard drive replacements, especially on devices without state-of-the-art protection. Notably, series 5 Intel chipsets, introduced in 2008, have been found to be immune to LoJax. The discovery and analysis of LoJax highlighted the need for organizations to implement cybersecurity measures beyond those aimed at protecting operating systems alone. Many corporate cybersecurity solutions overlook threats like LoJax because they classify pre-installed software like Computrace LoJack and the UEFI software as safe. Therefore, the danger of LoJax isn't solely due to its ability to infect the UEFI, but also stems from the fact that it often goes undetected by conventional security solutions.
Description last updated: 2024-09-13T19:15:46.863Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Rootkit
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Blacklotus Malware is associated with LoJax. BlackLotus is a harmful malware that targets the Unified Extensible Firmware Interface (UEFI) and Secure Boot systems, exploiting their vulnerabilities to gain persistent kernel access and privileges. It was first detected in 2022 when security researchers discovered a UEFI bootkit being sold on hacUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sednit Threat Actor is associated with LoJax. Sednit, also known as APT28, Fancy Bear, Pawn Storm, Sofacy Group, BlueDelta, and Strontium, is a threat actor associated with Russia's military intelligence. The group has been active since at least 2007, primarily targeting governments, militaries, and security organizations worldwide. Notably, SeUnspecified
4
Source Document References
Information about the LoJax Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more