Persistent New LoJax Rootkit Survives Hard Disk Replacement

Security researchers at ESET have identified a new rootkit that takes persistence to a whole new level. Once infected, the LoJax rootkit will remain active on a device even if the operating system is reinstalled or the hard drive is reformatted or replaced.

Rootkits are malicious code that are used to provide an attacker with constant administrator access to an infected device. They are difficult to detect and consequently they can remain active on a device for long periods, allowing cybercriminals to access an infected device at will, steal information, or infect the device with further malware variants.

While reformatting a hard drive and reinstalling the operating system can usually eradicate a malware infection, that is not the case for the LoJax rootkit as it compromises the Unified Extensible Firmware Interface (UEFI) – The interface between the firmware of a device and its operating system. The UEFI runs pre-boot apps and controls the booting of the operating system. Since the LoJax rootkit persists in Flash memory, even replacing a hard drive will have no effect.

The LoJax rootkit may not be detected as most antivirus programs do not check the UEFI for malware. Even if the rootkit is detected, getting rid of it is far from straightforward. Removal requires the firmware to be flashed.

Many cybersecurity professionals consider these UEFI rootkits to theoretical rather than actively being used in real-world attacks, as ESET notes in a recent blog post. “UEFI rootkits are widely viewed as extremely dangerous tools for implementing cyberattacks. No UEFI rootkit has ever been detected in the wild – until we discovered a campaign that successfully deployed a malicious UEFI module on a victim’s system.” The rootkit was installed by a threat group known as Fancy Bear, a cyberespionage group believed to have strong links to the Russian military intelligence agency, GRU.

LoJax is not, in itself, an information stealer. It is a backdoor that allows a system to be accessed at will for espionage purposes, data theft, or for the installation of malware. It can also allow an infected device to be tracked geographically.

What is unclear is how the attackers gained access to the device to install the rootkit. ESET believes the most likely way that was achieved was with a spear phishing email. Once access to the device was gained, the UEFI memory was read, an image was created, then modified, and the firmware was replaced with the rootkit installed. The rootkit was installed on an older device which had many other types of malware installed. More modern devices have controls in place to prevent such attacks – Secure Boot for instance.  However, that does not necessarily mean they are immune.

“Organizations should review the Secure Boot configuration on their hardware and make sure they are configured properly to prevent unauthorized access to the firmware memory,” wrote security intelligence team lead at ESET, Alexis Dorais-Joncas. “They also need to think about controls for detecting malware at the UEFI/BIOS level.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of