LoJax

LoJax is a UEFI rootkit used by APT28 to persist remote access software on targeted systems.[1]

ID: S0397
Type: MALWARE
Platforms: Windows
Contributors: Jean-Ian Boutin, ESET
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1112 Modify Registry

LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk to ‘autocheck autoche .[1]

Enterprise T1096 NTFS File Attributes

LoJax has loaded an embedded NTFS DXE driver to be able to access and write to NTFS partitions.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk to ‘autocheck autoche in order to execute its payload during Windows startup.[1]

Enterprise T1014 Rootkit

LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.[1]

Enterprise T1019 System Firmware

LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.[1]

Groups That Use This Software

ID Name References
G0007 APT28 [1]

References