{ "id": "3ea22493-1e21-4295-94de-acbb1e23cec0", "created_at": "2026-04-06T00:13:39.435941Z", "updated_at": "2026-04-10T03:37:50.712755Z", "deleted_at": null, "sha1_hash": "ca69eaa65e29e3d2cc0a7e145bc2e7b8e85326c2", "title": "Detecting UEFI Bootkits in the Wild (Part 1)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1298987, "plain_text": "Detecting UEFI Bootkits in the Wild (Part 1)\r\nBy Takahiro Haruyama\r\nPublished: 2021-06-15 · Archived: 2026-04-05 14:05:42 UTC\r\nThreat actors are continually looking for ways to improve the persistence of their malware and implants. Bootkits, meaning\r\nrootkits running at the firmware level, have been utilized for this purpose. Once bootkits are installed, it can be extremely\r\ndifficult to detect or remove versus OS-level rootkits as they are executed prior to the actual OS boot process.\r\nThe approach of using bootkits is not a new concept. According to Rootkits and Bootkits, there have been several PoCs and\r\nthreats targeting legacy BIOS boot systems since 2005. As UEFI boot systems are going mainstream, the bootkits are also\r\nshifting to an implementation of infecting firmware in a flash chip on the motherboard instead of the MBR/VBR on the hard\r\ndrive. The first PoC of UEFI bootkits was presented in 2013 and the threats have been observed in the wild since 2018.\r\nIn this article, the VMware Carbon Black Threat Analysis Unit (TAU) will describe the current threat landscape of UEFI\r\nbootkits then discusses how to detect these threats. OS-level security products are not effective to examine firmware as\r\nbootkits can take over the interfaces utilized by the detections (e.g., FSMIE bit in HSFC SPI register). Therefore, TAU\r\nfocuses on the detections in the installation phase.\r\nUEFI Bootkit Comparison\r\nTAU analyzed the known UEFI bootkit samples in the wild (LoJax, MosaicRegressor, and TrickBoot) and summarized the\r\ncharacteristics, as displayed in Table 1. We also included the Hacking Team’s Vector-EDK bootkit in the table as the leaked\r\nsource code has been heavily reused by the threat actors.\r\nHacking Team’s Vector-EDK (source code\r\nleakage)\r\nSednit’s LoJax\r\nUEFI bootkit type DXE driver (unsigned) DXE driver (unsigned)\r\ncallback event EFI_EVENT_GROUP_READY_TO_BOOT EFI_EVENT_GROUP_READY_TO_BOOT\r\nOS-level executables\r\nfor installation\r\nN/A\r\ninfo_efi.exe: application for UEFI firmware reconnaissance, \r\nReWriter_read.exe: application dumping SPI flash memory,\r\nReWriter_binary.exe: application adding SecDxe.efi to UEFI firmware\r\nUEFI bootkit modules\r\nNtfs.efi: DXE driver for NTFS filesystem\r\nread/write,\r\nrkloader.efi: DXE driver setting a callback\r\nfor fsbg.efi,\r\nfsbg.efi: UEFI application running the main\r\nbootkit code,\r\nReSetfTA.efi: UEFI application resetting the\r\ninfection marker for debug\r\nSecDxe.efi: bootkit DXE driver with Ntfs.efi\r\nhttps://blogs.vmware.com/security/2021/06/detecting-uefi-bootkits-in-the-wild-part-1.html\r\nPage 1 of 4\n\ntarget hardware\r\nplatform\r\nN/A\r\nmisconfigured or fairly old systems (on motherboards older than Platform\r\nController Hub chipsets introduced around 2008) without the SMM_BW\r\nconfiguration bit\r\nreconnaissance N/A\r\nBIOS control register LE/WPD(WE)/EISS(SMM_BWP) bits,\r\nSPI Protected Ranges (PR registers PR0–PR4),\r\nNVRAM UEFI variables “SecureBoot/SetupMode/AcpiGlobalVariable”\r\n(SeSystemEnvironmentPrivilege required), etc.\r\ninstallation technique N/A\r\nchanging BIOS control register,\r\nexploiting vulnerabilities: VU#766164, CVE-2017-3197 (potentically)\r\nOS infection marker NVRAM UEFI variable “fTA” = 1 N/A\r\nOS persistence\r\ntechnique\r\nStartup folder\r\nregistry value\r\n“HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Ses\r\nManager\\BootExecute” =\r\n‘autocheck autoche *’ (offline detection only)\r\ncode reuse N/A\r\nRWEverything kernel driver (RwDrv.sys),\r\nHacking Team’s Ntfs.efi: the inline DXE driver is 93% matched\r\nobfuscation/compression N/A Tiano compression (SecDxe.efi)\r\nTable 1: UEFI Bootkit Comparison\r\nInfection Process\r\nThe components, used by the UEFI bootkits, are classified into two categories: OS-level executables for a bootkit\r\ninstallation (kernel driver and user-mode application) and UEFI modules (DXE driver and UEFI application if any). The\r\ninfection vector of MosaicRegressor is unknown and TrickBoot contains no UEFI module. Only LoJax has both. The rough\r\nLoJax bootkit installation flow and the relationship between the components are as follows.\r\nFigure 1: LoJax UEFI bootkit installation process\r\nhttps://blogs.vmware.com/security/2021/06/detecting-uefi-bootkits-in-the-wild-part-1.html\r\nPage 2 of 4\n\n1. One of the user-mode applications (exe) collects UEFI firmware information such as BIOS write protection settings\r\nand SPI registers.\r\n2. exe saves the UEFI firmware image extracted from a SPI flash memory.\r\n3. exe not only dumps the firmware image but also adds a DXE driver (SecDxe) into the image.\r\n4. The same executable disables the BIOS write protections before the firmware modification by just changing the\r\nBIOS control register or exploiting known vulnerabilities like VU#766164 if needed.\r\n5. The same executable writes the modified firmware image to the SPI flash.\r\nAll of these applications abuse a kernel driver (RwDrv.sys) from the third-party tool RWEverything.\r\nAfter a bootkit installation, the bootkit execution starts with DXE drivers in all cases. The drivers register a callback to\r\nintercept the EFI_EVENT_GROUP_READY_TO_BOOT event. The interception enables attackers to take control before the\r\nOS bootloader runs. The drivers are unsigned. Thus, users can prevent the execution by just enabling UEFI Secure Boot.\r\nThe TrickBoot sample only implements the platform identification and BIOS write protection status check functionalities for\r\nthe reconnaissance.\r\nCode Reuse\r\nThreat actors generally take the easiest approach to complete their intended objective. The UEFI bootkit implementation is\r\nalso no exception. As described in the previous section, a kernel driver is required to access the SPI flash memory during the\r\nbootkit installation. LoJax and TrickBoot reuse RWEverything’s RwDrv.sys as there are some open source implementations\r\ncommunicating with the driver already (e.g., CHIPSEC and fwexpl). TrickBoot additionally reutilizes the fwexpl code in the\r\nuser-mode application.\r\nAnother reused code is Hacking Team’s Vector-EDK. MosaicRegressor is almost the same except for minor changes. LoJax\r\nalso reutilizes the DXE driver (Ntfs.efi) for NTFS filesystem read/write. The bootkit drops the agent program onto the disk\r\nwhere the driver will be used.\r\nObfuscation and Compression\r\nExcept the TrickBoot’s DLL module, no obfuscation technique is generally used by droppers. The module utilizes the open\r\nsource obfuscation library ADVobfuscator. Most strings are obfuscated by the library. The obfuscation technique is\r\nspecifically a combination of dynamic string construction in a stack area and a decode routine dedicated for each string. As\r\nit’s time-consuming to defeat the compiler-level obfuscation by static-analysis only, TAU has released the IDAPython script\r\nde-obfuscating the strings based on the code emulator (FireEye’s flare-emu).\r\nFigure 2: One example of strings obfuscated by ADVobfuscator\r\nIt should be noted that the LoJax samples utilize the Tiano compression algorithm on the DXE driver (SecDxe.efi). The\r\ncompressed driver is written to the SPI flash without the decompression as the algorithm is natively-supported by the EDK\r\nII (UEFI build system).\r\nOur Detection Approach\r\nTAU has developed approaches to detecting and blocking common technicques used to install UEFI bootkits.  Both\r\napproaches focus on the behaviors outlined above.  The screenshot below shows how Zero Touch Prevention can detect and\r\nstop activities related to the installation of bootkits.\r\nhttps://blogs.vmware.com/security/2021/06/detecting-uefi-bootkits-in-the-wild-part-1.html\r\nPage 3 of 4\n\nWrap-up\r\nTAU reviewed the UEFI bootkits in the wild then discussed the detection rules focusing on the common characteristics. The\r\ntechniques used by the bootkits are nothing new, but we should pay more attention to the threat as they are starting to be\r\nobserved in commodity cybercrime malware like TrickBot. TAU will dig into the bootkit’s low-level behavior in the\r\ninstallation for a generic rule creation next time.\r\nLast but not least, please note that the fundamental solution against UEFI bootkits is to enable UEFI Secure Boot or\r\nPlatform Secure Boot (Verified and Measured Boot). The UEFI Secure Boot function authenticates UEFI modules with\r\ndigital signatures then takes actions according to the policy if the authentication fails. Verified and Measured Boot like Intel\r\nBootGuard does the same thing, however the root of trust for the authentication depends on an immutable hardware logic.\r\nTAU recommends that customers utilize either of them (the latter one if possible). If customers can’t enable it for some\r\nreason, our detection rules will be beneficial.\r\nSource: https://blogs.vmware.com/security/2021/06/detecting-uefi-bootkits-in-the-wild-part-1.html\r\nhttps://blogs.vmware.com/security/2021/06/detecting-uefi-bootkits-in-the-wild-part-1.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.vmware.com/security/2021/06/detecting-uefi-bootkits-in-the-wild-part-1.html" ], "report_names": [ "detecting-uefi-bootkits-in-the-wild-part-1.html" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434419, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ca69eaa65e29e3d2cc0a7e145bc2e7b8e85326c2.pdf", "text": "https://archive.orkl.eu/ca69eaa65e29e3d2cc0a7e145bc2e7b8e85326c2.txt", "img": "https://archive.orkl.eu/ca69eaa65e29e3d2cc0a7e145bc2e7b8e85326c2.jpg" } }