LoJax Malware

 

 

Researchers have uncovered what appears to be the first case of a UEFI rootkit in the wild, changing the concept of active UEFI exploit from a conference topic to reality.

The UEFI rootkit was found bundled together with a toolset able to patch a victim’s system firmware in order to install malware at this deep level, ESET researchers said on Thursday.

Not only do such methods circumvent operating system reinstall, but also hard disk replacement. The only way to remove such malware — assuming victims know they have been compromised in the first place — is to flash the firmware, a process not often conducted by typical users.

The rootkit is being used by advanced persistent threat (APT) group Fancy Bear, also known as Sednit, APT28, STRONTIUM, and Sofacy. The APT, which has used a variety of sophisticated malware and intrusion tools in the past, is also using the LoJax malware to target government organizations in Europe.

The modified version has been named LoJax to separate it from Absolute Software’s legitimate solution but is still implemented in the same way — as a UEFI/BIOS module, in order to resist operating system wipes or hard drive replacement.

Expanding upon this work, ESET said the malicious UEFI module is now being bundled into exploit kits which are able to access and patch UEFI/BIOS settings.

These tools use a kernel driver, RwDrv.sys, which is bundled with the RWEverything utility to read information on a PC’s settings, such as PCI memory or ROMs.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Lojax malware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

 

CVE-2018-17613

 

 

Telegram Desktop (aka tdesktop) 1.3.16 alpha, when “Use proxy” is enabled, sends credentials and application data in cleartext over the SOCKS5 protocol.

Source: CVE

How do you protect yourself?

Telegram says they are aware of the issue and are working to fix it. As of the writing of this post, there has been no updates or patches available for install.

 

 

Phorpiex/Trik Worm

 

 

An established botnet and worm malware variant is engaged in a new campaign designed to infect the enterprise with GandCrab ransomware.

The malware focuses on infecting Windows devices and attempts to propagate through USB drives, removable storage, and spam.

“Phorpiex as a malware family has been around for several years and hasn’t changed much in purpose, functionality, or code,” researchers from InQuest say. “The malware itself is not incredibly advanced, has minimal evasion techniques, is often not packed during delivery, and is not very subtle when it comes to dropping files on disk or using hard-coded strings where more advanced malware families would be using randomized characters.”

Phorpiex/Trik will scan the web for Internet-facing Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC) endpoints, via port 5900. In random order, these endpoints are then targeted with brute-force attacks.

The botnet tests a number of weak user and password combinations, including “12345678,” “admin,” “qwerty,” “servidor,” and “vnc123.” If weak credentials are in use and the protocols have been poorly implemented, the botnet will infiltrate the system and use the endpoint as a means to install malware on corporate networks.

This week, version 5 of the ransomware was released which demands payment in the Dash or Bitcoin cryptocurrencies. However, the Phorpiex/Trik campaign appears to be spreading version 4 at present.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Phorpiex/Trik worm and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.