-
ESET
Click on cover to enlarge.
Buy This Book
From Amazon.
0 - 1Hours to read
دانلود کتاب LOJAX : First UEFI rootkit found in the wild, courtesy of the Sednit group
by ESET|
|
عنوان فارسی: LOJAX: روت کیت اول UEFI در وحشی، با حسن نیت ارائه شده از گروه Sednit |
دانلود کتاب
جزییات کتاب
Sednit also known as APT28, Sofacy, Strontium and Fancy Bear – has been operating since at least 2004, and has made headlines frequently in the past years: it is believed to be behind major, high profile attacks . For instance, several security companies [1] as well as the US Department of Justice [2] named the group as being responsible for the Democratic National Committee (DNC) hack just before the US 2016 elections . The group is also presumed to be behind the hacking of global television network TV5Monde [3], the World Anti-Doping Agency (WADA) email leak [4] and many others . Its targets are many and the group
has a diversified set of malware in its toolbox several of which we have documented previously [5],
but this white paper details the first time this group is known to have used a UEFI rootkit .
Key points in this white paper:
• Starting in at least early 2017, trojanized versions of an older userland agent of the popular
LoJack anti-theft software from Absolute Software were found in the wild . We call this trojanized LoJack agent LoJax . LoJack attracted a lot of attention in recent years as it implements a UEFI/BIOS module as a persistence mechanism .
• The presence of known Sednit tools alongside LoJax samples as well as the fact that some of the C&C servers used by these trojanized agents were part of an earlier Sednit network infrastructure allows us to link this UEFI rootkit to the Sednit group with high confidence .
• Along with the LoJax agents, tools with the ability to read systems’ UEFI firmware were found and in one case, this tool was able to dump, patch and overwrite part of the system’s SPI flash memory . This tool’s ultimate goal was to install a malicious UEFI module on a system whose SPI flash memory protections were vulnerable or misconfigured .
• This UEFI module has the responsibility to drop the LoJax agent on the system, making it the first Sednit UEFI rootkit identified . As it resides in the system’s firmware, it can survive a Windows re-install as well as a hard drive replacement .
• There was at least one case where this rootkit was successfully installed in a system’s SPI flash memory . To our knowledge, this is the first UEFI rootkit found in the wild .
has a diversified set of malware in its toolbox several of which we have documented previously [5],
but this white paper details the first time this group is known to have used a UEFI rootkit .
Key points in this white paper:
• Starting in at least early 2017, trojanized versions of an older userland agent of the popular
LoJack anti-theft software from Absolute Software were found in the wild . We call this trojanized LoJack agent LoJax . LoJack attracted a lot of attention in recent years as it implements a UEFI/BIOS module as a persistence mechanism .
• The presence of known Sednit tools alongside LoJax samples as well as the fact that some of the C&C servers used by these trojanized agents were part of an earlier Sednit network infrastructure allows us to link this UEFI rootkit to the Sednit group with high confidence .
• Along with the LoJax agents, tools with the ability to read systems’ UEFI firmware were found and in one case, this tool was able to dump, patch and overwrite part of the system’s SPI flash memory . This tool’s ultimate goal was to install a malicious UEFI module on a system whose SPI flash memory protections were vulnerable or misconfigured .
• This UEFI module has the responsibility to drop the LoJax agent on the system, making it the first Sednit UEFI rootkit identified . As it resides in the system’s firmware, it can survive a Windows re-install as well as a hard drive replacement .
• There was at least one case where this rootkit was successfully installed in a system’s SPI flash memory . To our knowledge, this is the first UEFI rootkit found in the wild .
درباره نویسنده
این کتاب رو مطالعه کردید؟ نظر شما چیست؟
برای ارسال نظر، لطفا وارد شوید.
نظر دهید
Adding comments has been disabled.
نظرات (0)
هنوز نظری داده نشده است. شما اولین باشید!
