SOFTWARE
Arp
at
cmd
Dok
FTP
Net
Orz
Reg
RTM
Tor
yty
SOFTWARE
1-9
A-B
Arp
at
C-D
cmd
Dok
E-F
FTP
G-H
I-J
K-L
M-N
Net
O-P
Orz
Q-R
Reg
RTM
S-T
Tor
U-V
W-X
Y-Z
yty
  1. Home
  2. Software
  3. LoJax

LoJax

LoJax is a UEFI rootkit used by APT28 to persist remote access software on targeted systems.[1]

ID: S0397
Type: MALWARE
Platforms: Windows
Contributors: Jean-Ian Boutin, ESET
Version: 1.0
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1112 Modify Registry

LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk to ‘autocheck autoche .[1]
Enterprise T1096 NTFS File Attributes

LoJax has loaded an embedded NTFS DXE driver to be able to access and write to NTFS partitions.[1]
Enterprise T1060 Registry Run Keys / Startup Folder

LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk to ‘autocheck autoche in order to execute its payload during Windows startup.[1]
Enterprise T1014 Rootkit

LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.[1]
Enterprise T1019 System Firmware

LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.[1]

Groups That Use This Software

ID Name References
G0007 APT28 [1]

References

  1. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.