Register to stream ATT&CKcon 2.0 October 29-30

LoJax

LoJax is a UEFI rootkit used by APT28 to persist remote access software on targeted systems.[1]

ID: S0397
Type: MALWARE
Platforms: Windows
Contributors: Jean-Ian Boutin, ESET
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1112 Modify Registry LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk to ‘autocheck autoche . [1]
Enterprise T1096 NTFS File Attributes LoJax has loaded an embedded NTFS DXE driver to be able to access and write to NTFS partitions. [1]
Enterprise T1060 Registry Run Keys / Startup Folder LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk to ‘autocheck autoche in order to execute its payload during Windows startup. [1]
Enterprise T1014 Rootkit LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems. [1]
Enterprise T1019 System Firmware LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems. [1]

Groups That Use This Software

ID Name References
G0007 APT28 [1]

References