S0397 LoJax
LoJax is a UEFI rootkit used by APT28 to persist remote access software on targeted systems.1
| Item | Value |
|---|---|
| ID | S0397 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 02 July 2019 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk ’ to ‘autocheck autoche ’ in order to execute its payload during Windows startup.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.004 | NTFS File Attributes | LoJax has loaded an embedded NTFS DXE driver to be able to access and write to NTFS partitions.1 |
| enterprise | T1112 | Modify Registry | LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk ’ to ‘autocheck autoche ’.1 |
| enterprise | T1542 | Pre-OS Boot | - |
| enterprise | T1542.001 | System Firmware | LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.1 |
| enterprise | T1014 | Rootkit | LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 1 |