Category: Email Security

Oct 7, 2018

Security researchers at ESET have identified a new rootkit that takes perseverance to a whole new level. As soon as infected, the LoJax rootkit will remain working on an appliance even if the operating system is reinstalled or the hard drive is reformatted or substituted.

Rootkits are malevolent code that is used to provide an attacker with continuous administrator access to an infected appliance. They are difficult to detect and subsequently, they can remain active on an appliance for long periods, permitting cybercriminals to access an infected appliance at will, thieve information, or infect the appliance with more malware variations.

Although reformatting a hard drive and reinstalling the operating system can typically remove a malware infection, that is not the case for the LoJax rootkit because it compromises the Unified Extensible Firmware Interface (UEFI) – The interface between the firmware of an appliance and its operating system. The UEFI runs pre-boot apps and manages the booting of the operating system. As the LoJax rootkit continues in Flash memory, even substituting a hard drive will have no effect.

The LoJax rootkit may not be detected as most antivirus programs don’t check the UEFI for malware. Even if the rootkit is detected, removing it is far from straightforward. Removal needs the firmware to be flashed.

A lot of cybersecurity experts consider these UEFI rootkits to be theoretical instead of actively being used in real-world attacks, as ESET remarks in a fresh blog post. “UEFI rootkits are generally seen as extremely risky tools for executing cyberattacks. No UEFI rootkit has ever been noticed in the wild – until we discovered a campaign that effectively positioned a malevolent UEFI module on a victim’s system.” The rootkit was installed by a threat group known as Fancy Bear, a cyberespionage group supposed to have strong connections to the Russian military intelligence organization, GRU.

LoJax is not, in itself, an information taker. It is a backdoor that permits a system to be retrieved at will for spying purposes, data thievery, or for the installation of malware. It can also permit an infected appliance to be followed geographically.

What is vague is how the attackers gained access to the device to install the rootkit. ESET considers the most likely way that was reached was with a spear phishing electronic mail. As soon as access to the appliance was achieved, the UEFI memory was read, an image was generated, then changed, and the firmware was substituted with the rootkit installed. The rootkit was installed on an older appliance which had several other kinds of malware installed. More modern appliances have controls in place to avoid such attacks – Secure Boot for example.  However, that doesn’t necessarily imply they are protected.

“Companies must study the Secure Boot construction on their hardware and make certain they are constructed properly to avoid illegal access to the firmware memory,” wrote safety intelligence team lead at ESET, Alexis Dorais-Joncas. “They also require to think about controls for detecting malware at the UEFI/BIOS level.”

The DanaBot banking Trojan was first noticed by safety scientists at Proofpoint in May 2018. It was being utilized in a single campaign targeting clients of Australian Banks. More campaigns were later noticed targeting clients of European banks, and nowadays the attacks have shifted beyond the Atlantic and U.S. banks are being targeted.

Banking Trojans are the main danger. Proofpoint notices that they now account for 60% of all malware transmitted through electronic mail. The DanaBot banking Trojan is being dispersed through spam electronic mail, with the malevolent messages having an embedded hyperlink to websites hosting a Word document with a malevolent macro. If permitted to run it will introduce a PowerShell command which downloads DanaBot.

The DanaBot Trojan thieves identifications for online bank accounts via a blend of banking site web injections, keylogging, taking screenshots and seizing form data. The malware is written in Delphi and is modular and is able of downloading additional parts.

Proofpoint notices that the campaigns it has noticed use different IDs in their server communications which indicate that several people are carrying out campaigns, most probably through a malware-as-a-service offering. So far, nine different IDs have been identified which indicates nine people are carrying out campaigns. Each actor aims a particular geographical area aside from in Australia where there are two people carrying out campaigns.

The latest campaign targeting U.S bank clients is also being conducted through spam electronic mail and similarly links to a Word document with a malevolent macro. The spam electronic mails intercepted by Proofpoint spoof eFax messages, and are complete with proper branding. The electronic mails assert the Word document has a 3-page fax transmission.

Enabling the macro will result in Hancitor being downloaded, which in turn will download the DanaBot banking Trojan and other information stealing malware. A number of U.S banks are being targeted including Wells Fargo, Bank of America, TD Bank, and JP Morgan Chase.

Proofpoint has identified similarities with other malware families proposing it the work of the group behind CryptXXX and Reveton. “This family started with ransomware, to which stealer functionality was added in Reveton. The evolution carried on with CryptXXX ransomware and now with a banking Trojan with Stealer and distant access functionality included in DanaBot.”