Security researchers at Netscout’s Arbor Networks’ Security Engineering & Response Team (ASERT) have claimed that the seemingly harmless software LoJack, which is an anti-computer theft program, is actually serving as an espionage facilitator.
As per the report published on Tuesday, LoJack is actually plagued with malware that is suspected to have a connection to the Fancy Bear group of hackers. Fancy Bear is an infamous Russia-based hackers’ collective known to have links with the state and for conducting a number of cyber-spying campaigns allegedly on behalf of the government.
LoJack, on the other hand, is used to protect computers and is trusted by corporations around the world. Therefore, the latest findings are definitely going to create a wave of concern among corporations and tech community.
According to the ASERT Lab, the LoJack agents are identified to have links with C&C domains that are most likely associated with operations carried out by Fancy Bear.
LoJack is capable of preventing theft so it is designed to operate secretly and stays on the system even after the replacement of hard drive or re-imaging of the system. Considering the way LoJack software is designed, it is quite easy to force it to interact with infected servers instead of authentic ones, stated researchers in their report.
What LoJack does actually is that it provides protection to the hardcoded C2 URL through utilizing a single byte XOR key. But, it trusts the configuration content without any verification so if an attacker manages to modify this value, then the software can be used for multi-tasking. This means, apart from providing protection, it can be used for a variety of other tasks including spying.
The software lets administrators lock, locate and remove files remotely from stolen PCs and the prominent users are the corporate IT-related firms that need to protect information from exploitation. On a majority of notebooks, the software is installed-by-default.
However, recently, researchers noted that the software’s executable was surprisingly communicating with servers that are believed to be in use by the Russian GRU military intelligence agency linked Fancy Bear hacking group.
Researchers discovered five LoJack agents, which pointed to four suspicious C&C domains. Three of the four domains (elaxo[.]org, ikmtrust[.]com, and lxwo[.]org) were known to have a connection with Fancy Bear. The fourth domain (sysanalyticweb[.]com) has been discovered recently and its owner is yet to be identified. Researchers believe that somebody has added a backdoor to some copies of LoJack to convert it into a remotely controllable spyware for the Kremlin.
Since most of the anti-virus software packages cannot detect malicious executables that have been hidden in LoJack installations and even if these do detect them, it will be flagged as not-a-virus so the user will remain at risk of getting spied upon. The attacker only needs to link it with a fake C2 that can simulate LoJack communication protocols.
The small agent in LoJack would then force memory to read and write so that it could get remote backdoor functionality when connected to that C2. In simple words, attackers are only exploiting the communications that LoJack uses and just grants themselves backdoor access to computers that run this software.
As per Richard Hummel, research manager at ASERT, the malware in LoJack can allow attackers to gain control of the infected computer and block it for the user, which is definitely not good news especially if the system stores critical or confidential data or the user has higher privileges. Using the permissions required by LoJack, attackers can install any software or malware they want on the infected computer.
Researchers are ‘moderately’ confident that the malware designers are Fancy Bear because two of the domains are linked to a NATO security conference flyer that was modified for including a tool that involved the use of malicious macro and this tool is allegedly used by Fancy Bear frequently.
The third domain is also linked with another modified NATO statement and was identified in Feb 2017. The information acquired about the suspicious domains is somehow connected to Fancy Bear.
Hummel suspects that LoJack was backdoored using phishing mechanism and it is yet not clear how extensively has it been distributed until now.