LoJax

LoJax is a UEFI rootkit used by APT28 to persist remote access software on targeted systems.[1]

ID: S0397
Type: MALWARE
Platforms: Windows
Contributors: Jean-Ian Boutin, ESET
Version: 1.1
Created: 02 July 2019
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk to ‘autocheck autoche in order to execute its payload during Windows startup.[1]

Enterprise T1564 .004 Hide Artifacts: NTFS File Attributes

LoJax has loaded an embedded NTFS DXE driver to be able to access and write to NTFS partitions.[1]

Enterprise T1112 Modify Registry

LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk to ‘autocheck autoche .[1]

Enterprise T1542 .001 Pre-OS Boot: System Firmware

LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.[1]

Enterprise T1014 Rootkit

LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.[1]

Groups That Use This Software

ID Name References
G0007 APT28

[1]

References