Fancy Bear Attacks with New Malware, LoJax

Russia’s “Fancy Bear” hackers are at it again, this time withRussian Hackers Fancy Bear unleash malware a trick that is hard to fix. You may think that the name Fancy Bear sounds familiar, and that’s because it is. This hacker group has been linked to numerous attacks; such as the Pyeongchang Olympics, the US department of Justice, the Democratic National Committee (DNC), Microsoft software vulnerability, and more.

The Situation.

Recently, ESET found a new malware, termed LoJax, that embeds itself into the firmware of a computer. Once there, it is very difficult to remove, and equally hard to find. This specific malware can’t be removed by anti-malware products, and can survive even after reinstalling the operating system, or replacing the hard disk.

“Whenever a computer infected with a UEFI malware boots, it will place the LoJax agent on the Windows file system, so that when Windows boots, it’s already infected with the LoJax agent. Even if you clean LoJax from Windows, as soon as you reboot, the UEFI implant will reinfect Windows,” says Alexis Dorais-Joncas, ESET’s security intelligence team lead.

As of now the only remediation options are: reflashing the SPI flash memory to remove the rootkit, changing the motherboard of the system that has been infected, or potentially upgrading the UEFI firmware (not guaranteed to work). Unfortunately, most of those options won’t be achievable by those that are not highly-technical, and it’s likely that the whole device will need to be replaced.

Why LoJax?

The reason for the name LoJax is because of its similarity with the software LoJack, from the company Absolute Software. The job of LoJack is to install itself into the firmware of a computer, making it extremely difficult for someone to get away with stealing your laptop. The software is constantly calling back to servers and even if the thief tries to replace the hard drive, LoJack would still be on the computer and can report its position to the owner. And that’s how it received its name. Like LoJack, LoJax is incredibly difficult to get rid of (though, at least LoJack was something that the owner signed up for).


The malware can’t attack firmware that is current, so if you keep yours up-to-date you shouldn’t become a victim of this attack. Also, if you’re running Secure Boot on your devices it won’t let the malware by, as it isn’t signed and will be detected and rejected. Secure Boot is a very helpful tool to aid in the prevention of an attack.

While this current iteration of the LoJax malware wasn’t as wide-spread as others that Fancy Bear unleashed, it is still something that people should be aware of due to the difficulty of finding it and fixing it. Additionally, they might update the current version once they learn how to work around current firmware security. 

With digital security becoming increasingly more imperative (and increasingly harder to have), it is wise to rely on a fully-managed Disaster Recovery as a Service (DRaaS) provider. To ensure that your organization never misses a beat, a reputable DRaaS provider will keep backups to restore your data when a disaster strikes. And we say when because in today’s world it’s not if, but rather when, disaster will strike. Whether that be ransomware, Mother Nature (power outages cost more than $150 billion annually to the United States economy), or employee mistakes (humans are not infallible), a disaster could be right around the corner.

Are you looking to protect critical data? At DSM, Florida’s predictable cloud, we can take care of your data protection needs. Cyber-attacks are on the rise; make sure you're not a victim by contacting us today.

Related posts