The sub-techniques beta is now live! Read the release blog post for more info.
SOFTWARE
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. LoJax

LoJax

LoJax is a UEFI rootkit used by APT28 to persist remote access software on targeted systems.[1]

ID: S0397
Type: MALWARE
Platforms: Windows
Contributors: Jean-Ian Boutin, ESET
Version: 1.0
Created: 02 July 2019
Last Modified: 02 July 2019
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1112 Modify Registry

LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk to ‘autocheck autoche .[1]
Enterprise T1096 NTFS File Attributes

LoJax has loaded an embedded NTFS DXE driver to be able to access and write to NTFS partitions.[1]
Enterprise T1060 Registry Run Keys / Startup Folder

LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk to ‘autocheck autoche in order to execute its payload during Windows startup.[1]
Enterprise T1014 Rootkit

LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.[1]
Enterprise T1019 System Firmware

LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.[1]

Groups That Use This Software

ID Name References
G0007 APT28 [1]

References

  1. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.