LoJax is the First UEFI Rootkit, and It Is a Highly Sophisticated Threat

What is LoJax is the First UEFI Rootkit, and It Is a Highly Sophisticated Threat?

Do you know what kind of malware might persist even if the infected operating system is reinstalled and the hard disk is replaced? It is UEFI (Unified Extensible Firmware Interface) rootkits. In the past, these rootkits were detected only in internal labs controlled by malware researchers, but LoJax has changed the history. It is the first UEFI rootkit to have been found in the wild. Intel created UEFI to replace BIOS (Basic Input/Output System), and all chipsets should use it by 2020. Unfortunately, that means that anyone could become the target of this malware. The rootkit was found to communicate with C&C servers that belong to Sednit, a well-known cyber-espionage group that is also known by other names, including Fancy Bear, PT28, Sofacy, and Strontium. This group has been active since 2004, and it is known for attacking government-level agencies and organizations.

The name of the rootkit (LoJax) comes from a legitimate anti-theft program called “LoJack.” The connection between the rootkit and the program is a file called “rpcnetp.exe.” It is an agent originally used by LoJack, but researchers have found that the malicious LoJax rootkit has been able to modify it to divert communication from LoJack’s C&C servers to those used by malicious attackers. The authentic anti-theft program has the functionality to connect to remote servers when the user requests it due to missing or stolen computers. When it comes to the rootkit, it is communicating with C&C servers to receive malicious commands. Before all that, the rootkit has to slither into the operating system, and because it does that silently – and because it hides behind LoJack – it is also classified as a Trojan.

How is LoJax distributed?

According to malware experts, LoJax could spread using various methods. Considering that the infection itself is quite unique and surprising, the distribution methods could be just as unique and surprising too. Of course, spam emails with corrupted links and attachments, vulnerable RDP connections, and other malicious infections are likely to be involved. If the rootkit is discovered on the system – which isn’t easy to do whatsoever – other threats are likely to be present too. Once the rootkit infects the system silently, the first thing it does is it creates a backup of a file named “autochk.exe.” It is an original Windows file that the infection overwrites with a malware dropper. The executable is used to write the UEFI module into the system’s SPI (Serial Peripheral Interface) flash memory. If that fails, Intel BIOS locking mechanism vulnerability (CVE-2014-8273) is exploited to reach the same goal.

LoJax executes malware during the boot process using the SPI flash memory module. This malware is the rpcnetp.exe file that we mentioned already. Unfortunately, figuring out which file – the original one or the corrupted one – requires removal is very difficult. However, if the file is deleted, the malicious code cannot run. This malicious code exists as a DLL file that is loaded into the memory, and it injects svchost.exe and iexplore.exe processes. Once established and rooted into the system, LoJax can download and execute any malicious code, which makes it a tremendously dangerous threat to anyone’s virtual security. The good news is that regular users are unlikely to be the target of this malware. On the other hand, the damage could be much greater if the rootkit slithered into the operating systems and networks of governments and security agencies.

How to protect systems against LoJax and remove the rootkit

When it comes to the removal of LoJax, it is most important to prevent the infection from slithering in at all. The operating systems must be secured and updated so that no backdoors and vulnerabilities could be detected and exploited. Users also need to be mindful about how they browse the web, what kinds of devices they connect to their systems, what emails they open, and how they interact with content online. It is also recommended that the “Secure Boot” feature in UEFI is enabled at all times. The UEFI firmware must be updated too. When it comes to removal, it appears that the only way to delete LoJax is by replacing the computer’s mother board or flashing the UEFI firmware. It should be noted that inexperienced users should not try this on their own because they could create more problems for themselves.


ESET Research, September 27, 2018. LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group. Welivesecurity. 100% FREE spyware scan and
tested removal of LoJax is the First UEFI Rootkit, and It Is a Highly Sophisticated Threat*


Leave a Comment

Enter the numbers in the box to the right *