BlueHat v18 || First STRONTIUM UEFI Rootkit Unveiled

Описание: Jean-Ian Boutin, ESET
Frédéric Vachon, ESET

BIOS rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise a system at this level. Our talk will reveal such a campaign successfully executed by STRONTIUM.

Earlier this year, there was a public report stating that the infamous Sofacy/APT28/Sednit APT group successfully trojanized a userland LoJack agent and used it against their targets. LoJack, a controversial anti-theft software, was scrutinized by security researchers in the past because of its unusual persistence method: a module preinstalled in many computers' UEFI/BIOS software. Several security risks were found through the years in their product, but no large in-the-wild activity was ever detected until the discovery of the STRONTIUM group leveraging some of these vulnerabilities affecting the userland agent. However, through our research, we now know that they did not stop there: they also tried, and succeeded, in installing a custom UEFI module directly in the systems' SPI flash memory.

In this talk, we will detail the full infection chain showing how STRONTIUM was able to install their custom UEFI module on key targets' computers.
Additionally, we will provide an in-depth analysis of their UEFI module and the associated trojanized LoJack agent.

https://www.slideshare.net/MSbluehat/...