Malware Buried Deep Down the SPI Flash: Sednit's First UEFI Rootkit Found in the Wild

Presented at Black Hat Europe 2018, Dec. 5, 2018, 10:30 a.m. (50 minutes).

BIOS rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level. Our talk will reveal such a campaign successfully executed by the Sednit group. This APT group, also known as Fancy Bear, Sofacy and APT28, has been linked to numerous high profile cyberattacks such as the 2016 Democratic National Committee email leak scandal.

Earlier this year, there was a public report stating that the infamous Sednit/Sofacy/APT28 APT group successfully trojanized a userland LoJack agent and used it against their targets. LoJack, an embedded anti-theft application, was scrutinized by security researchers in the past because of its unusual persistence method: a module preinstalled in many computers' UEFI/BIOS software. Over the years, several security risks have been found in this product, but no significant in-the-wild activity was ever reported until the discovery of the Sednit group leveraging some of the vulnerabilities affecting the userland agent. However, through our research, we now know that Sednit did not stop there: they also tried to, and succeeded, in installing a custom UEFI module directly into a system's SPI flash memory.

In this talk, we will detail the full infection chain showing how Sednit was able to install their custom UEFI module on key targets' computers. Additionally, we will provide an in-depth analysis of their UEFI module and the associated trojanized LoJack agent.


Presenters:

  • Jean-Ian Boutin - Senior Malware Researcher, ESET
    Jean-Ian Boutin is a senior malware researcher in the Security Intelligence program at ESET. In his position, he is responsible for investigating trends in malware and finding effective techniques to counter new threats. He has presented at several security conferences, including RECON, Virus Bulletin, CARO and ZeroNights. Jean-Ian completed his Master's degree in computer engineering at Concordia University in Montreal in 2009. His main interests include investigation of financially motivated threat actors and state-sponsored espionage groups. He has also participated in several large botnet takedown operations in conjunction with law enforcement and industry partners.
  • Frédéric Vachon - Malware Researcher, ESET   as Frederic Vachon
    Frederic Vachon has been a Malware Researcher at ESET since 2017. His previous work includes investigations on Windows and Linux crimeware campaigns. He is now mainly focused on boot-level threats and UEFI firmware reverse engineering. He has presented at Botconf and HackFest.

Links:

Similar Presentations: