LoJax Malware Continues to Operate 8 Months After Discovery

LoJax Malware Continues to Operate 8 Months After Discovery

The conventional wisdom with malware is that you can kill it once and for all by wiping a system and starting from scratch. However, a particularly clever piece of surveillance software tied to the Russian government appears much more resistant. Even replacing drives won’t kill LoJax, which appears to still be operating more than eight months after researchers from Arbor Networks detailed the malware.

Usually, malware becomes of little use once security experts uncover it. LoJax is almost invulnerable, though. It’s common for one piece of malicious software to include components from one or more past malware variants. However, LoJax has a unique origin that makes it incredibly tough to combat.

First detected in 2018, LoJax is a modified version of the commercial LoJack anti-theft software developed by Absolute Software. Specifically, Lojax uses a release from 2008 when the software was known as Computrace. This is a legitimate piece of software that integrates with the UEFI firmware of a computer to help the owner recover it in the event it’s stolen. Even if a thief swaps in a new hard drive, the software reasserts itself from the motherboard firmware. That’s great if you want your laptop back, but it’s also perfect for a sophisticated hacking operation.

The original Arbor Networks report on LoJax pointed the finger at Fancy Bear, a hacking group tied to Russian military intelligence (the GRU). Fancy Bear was also implicated in the firmware exploit that hit routers last year. Lojax uses most of the components from LoJack, but it connects to command-and-control servers operated by Fancy Bear. The attackers can use the tool to monitor the computer with little risk of detection.

How LoJax works, courtesy of Eset.
How LoJax works, courtesy of Eset.

Arbor Networks has analyzed new samples of the LoJax trojan that indicate it’s still active. In fact, some of the same command and control servers are in use. This indicates efforts to combat the malware have largely failed. Because of the nature of LoJax, only sophisticated users will know they’ve been infected.

The report also details several domains connected to previously known IP addresses used by the malware. Both ntpstatistics[.]com and unigymboom[.]com point to control servers that connect to infected computers. More than a dozen more IP address and domains appear to be waiting in the wings, too.

The only way to purge the malware is to wipe the hard drive and reflash the motherboard firmware. Although, it’s probably safer to just throw the hardware out. State-sponsored hackers probably have plenty more nasty tricks up their sleeves.

Continue reading

Voyager 2 Probe Talks to Upgraded NASA Network After 8 Months of Silence
Voyager 2 Probe Talks to Upgraded NASA Network After 8 Months of Silence

NASA just said "hello" to Voyager 2, and the probe said it back.

Hayabusa2 Spacecraft Completes Mission, Returns Asteroid Sample to Earth
Hayabusa2 Spacecraft Completes Mission, Returns Asteroid Sample to Earth

After six years in space, the Hayabusa2 sample container landed on Earth, providing scientists with the first significant samples collected directly from an asteroid.

Minecraft With Ray Tracing Now Available for All Windows 10 Players
Minecraft With Ray Tracing Now Available for All Windows 10 Players

You don't usually think of Minecraft as a realistic game, but the developers have been hard at work adding RTX ray tracing to the game for the last eight months. It's finally out of beta today, and it really works with the blocky look of Minecraft.

190,000 Ceiling Fans Recalled After Blades Fly Off, Hitting People
190,000 Ceiling Fans Recalled After Blades Fly Off, Hitting People

King of Fans is recalling some 190,000 ceiling fans sold through Home Depot after the blades began detaching during operation.