LoJax Removal Guide

LoJax is a malevolent rootkit/Trojan that can slither in silently and put the affected system into jeopardy. Once in place, the malicious threat can be used by remote attackers to execute malicious code and aid with complex attacks. Unfortunately, getting rid of the rootkit is not so easy. As a matter of fact, it is basically impossible, and in order to delete it, you either need to flash your firmware or replace the motherboard. Replacing hardware is not cheap, and flashing firmware is a highly complex process that requires great expertise. That being said, even if you lack experience, it is necessary to take action because this rootkit can cause many serious problems. Researchers have found that the creator of this rootkit (Sednit; alias names: APT28, Fancy Bear, Strontium, Sofacy) has targeted the US Department of Justice, TV5Monde, World Anti-Doping Agency, and many other big organizations in the past. It is likely, that big organizations will be the ones having to remove LoJax too.

According to malware experts, LoJax is an incredibly unique infection. Of course, it is not the first Trojan or the first rootkit in the world, but it is the first one to affect UEFI, which stands for Unified Extensible Firmware Interface. It was created as a replacement for BIOS, and it is bound to dominate firmware in the future. Unfortunately, it is unlikely that this is the only threat that will be able to affect UEFI. It is just the first one. Malicious, clandestine Trojans could be employed to spread this malicious rootkit, but it could also spread using some of the more conventional backdoors, including spam emails or vulnerable RDP channels. Also, the threat should affect systems that are integrally vulnerable, a.k.a., are outdated or unprotected. It is crucial to keep this in mind because it is imperative to keep LoJax away. While that might not be easy, it certainly is much easier than it is to delete LoJax. The thing is that once this threat grabs the system by its tentacles, not much can be done, which is why prevention of the attack is key.

If LoJax finds its way in, it immediately creates a backup of autochk.exe and then overwrites it with a dropper that downloads and executes rootkit’s components. The file belongs to Windows, and so anti-malware software cannot detect and delete it as a threat. It is used to inject a malicious UEFI module into the SPI flash memory. That is done using RWEverything software. This module downloads and executes malware during the boot process, which is rpcnetp.exe. A file with the same name belongs to LoJack, which is legitimate anti-theft software created by Absolute Software Corporation. The corrupted variant of the file ensures that the malicious LoJax code runs via a .DLL file. According to our researchers, the infection can be used to execute malicious code and help facilitate attacks against governments located, mostly, in Europe. Of course, no one can guarantee that regular users would not come under fire too.

If you have detected LoJax on your Windows operating system, you are in big trouble. You can remedy the situation by replacing the motherboard or by flashing the UEFI firmware, and both solutions come with their own problems. Without a doubt, you must do whatever it takes to rid of this rootkit because it could become a serious weapon in the hands of cyber criminals. They could attack government systems and disrupt work, steal emails and sensitive data, leak information, jeopardize national security, and cause an array of other problems. Needless to say, deleting LoJax is problematic, which is why you want to protect yourself and your system against it. First and foremost, install all updates whenever they come in. Do not forget to update UEFI firmware too. Finally, educate yourself and others about the tactics and methods cyber attackers can employ to spread the rootkit or other kinds of malicious threats. Ultimately, whether it is a rootkit, a malicious ransomware encryptor, a keylogger, or a simple PUP, you want your system protected against it.