← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
LoJax: First UEFI rootkit
WHITE Sofacy AlienVault 2018-09-27 Modified: 2018-11-20
31
IOCs
MEDIUM VOLUME
UEFI rootkits are widely viewed as extremely dangerous tools for implementing cyberattacks, as they are hard to detect and able to survive security measures such as operating system reinstallation and even a hard disk replacement. Some UEFI rootkits have been presented as proofs of concept; some are known to be at the disposal of (at least some) governmental agencies. However, no UEFI rootkit has ever been detected in the wild – until we discovered a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a victim’s system.
rootkitsednitsofacyapt28UEFIeset
Indicators of Compromise (31)
All domain FileHash-SHA1 FileHash-SHA256 hostname email
TYPEINDICATORDESCRIPTIONCREATED
domain elaxo.org 2018-09-27
domain ikmtrust.com 2018-09-27
domain jflynci.com 2018-09-27
domain lxwo.org 2018-09-27
domain rdsnets.com 2018-09-27
domain remotepx.net 2018-09-27
domain rpcnetconnect.com 2018-09-27
domain secao.org 2018-09-27
domain sysanalyticweb.com 2018-09-27
domain webstp.com 2018-09-27
FileHash-SHA1 09d2e2c26247a4a908952fee36b56b360561984f 2018-09-27
FileHash-SHA1 10d571d66d3ab7b9ddf6a850cb9b8e38b07623c0 2018-09-27
FileHash-SHA1 1771e435ba25f9cdfa77168899490d87681f2029 2018-09-27
FileHash-SHA1 2529f6eda28d54490119d2123d22da56783c704f 2018-09-27
FileHash-SHA1 397d97e278110a48bd2cb11bb5632b99a9100dbd 2018-09-27
FileHash-SHA1 4b9e71615b37aea1eaeb5b1cfa0eee048118ff72 2018-09-27
FileHash-SHA1 700d7e763f59e706b4f05c69911319690f85432e 2018-09-27
FileHash-SHA1 8e138eecea8e9937a83bffe100d842d6381b6bb1 2018-09-27
FileHash-SHA1 cc217342373967d1916cb20eca5ccb29caaf7c1b 2018-09-27
FileHash-SHA1 ddaa06a4021baf980a08caea899f2904609410b9 2018-09-27
FileHash-SHA1 e8f07caafb23eff83020406c21645d8ed0005ca6 2018-09-27
FileHash-SHA1 e923ac79046ffa06f67d3f4c567e84a82dd7ff1b 2018-09-27
FileHash-SHA1 ea728abe26bac161e110970051e1561fd51db93b 2018-09-27
FileHash-SHA1 ef860dca7d7c928b68c4218007fb9069c6e654e9 2018-09-27
FileHash-SHA1 f2be778971ad9df2082a266bd04ab657bd287413 2018-09-27
FileHash-SHA1 f90ccf57e75923812c2c1da9f56166b36d1482be 2018-09-27
FileHash-SHA256 6d626c7f661b8cc477569e8e89bfe578770fca332beefea1ee49c20def97226e 2018-11-20
FileHash-SHA256 aa5b25c969234e5c9a8e3aa7aefb9444f2cc95247b5b52ef83bf4a68032980ae 2018-11-20
hostname mail.regvirt.com 2018-11-20
hostname www.regvirt.com 2018-11-20
email tiborkovacsr@protonmail.com 2018-11-20
References (2)
↗ https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ ↗ https://securityaffairs.co/wordpress/78085/malware/apt28-lojax-variant.html