Fancy Bear’s LoJax rootkit has been foraging since late ‘16

The lethal LoJax malware thought to be the handiwork of hacker group Fancy Bear (APT28) came to light only this past May, but most likely had been wreaking havoc since late 2016, reported Netscout researchers from Arbor’s Security Engineering & Response Team (ASERT).

With a name derived from the LoJack solution to track stolen cars and later adapted by Absolute Software for laptop recovery, LoJax has been described as “unkillable” because the rootkit is left on a computer even after OS reinstalls and hard-drive replacements.  

“In some cases, replacement maybe cheaper than repair,” researchers from Netscout Threat Intelligence, who asked for anonymity, told SC exclusively. “Finding ‘unkillable’ malware in general is also fairly rare, in part because such malware is generally used against high-value targets and because it is only effective so long as it remains hidden.”

The good news is that this type of malware and operation “doesn’t scale well to a massive, global campaign,”believes the Westford, Mass.-based security solutions firm, which surmises that Lojack was likely being used to establish persistence on victim computers, but the larger implications for Lojack’s specific use could be to track the movement of equipment or personnel around the globe.

Asked whether Is LoJax is indisputably the handiwork of Fancy Bear, Netscout Threat Intelligence replied: “There is rarely complete certainty in attribution, but there is substantial evidence that this is the work of Fancy Bear.” A direct link also can be made from the Fancy Bear operations to the Russian government, an assertion also made by the FBI in recent indictments, it noted.

Netscout said it found infrastructure overlap between Lojack and known Fancy Bear domains, some of which were used for phishing. “The victims that we are aware of is of geopolitical interest to Russia and falls in line with Fancy Bear’s historical targeting.” 

Since its initial LoJax discovery eight months ago, Netscout conducted additional research into “infrastructure we believe Fancy Bear (APT28) operators use as part of their toolkit,” Netscout said. “We created fingerprints that enabled us find additional LoJax servers using our ATLAS collection platform.”

The new research identified multiple active LoJax servers, whose IPs had been uncovered by ASERT’s collection platform, as well as published by other researchers. It also found suspected corresponding C2 domains, some of which have not been previously seen in LoJax.

“Since exposing the use of LoJaxin May 2018, security researchers proved Fancy Bear used it as part of an UEFI-based rootkit in September of 2018, making LoJax resilient to hard drive replacements and Windows OS re-installs,” Netscout explained. (UEFI is an abbreviation for Unified Extensible Firmware Interface, a specification that defines a software interface between an operating system and platform firmware.)Commenting on the latest LoJax revelation, a poster with a Guy Fawkes mask on the U.K. online forum The Register, cast aspersions by quipping: “Low-profile and discrete (sic) activity over a few years sounds like a government operation to me.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.