LoJax Malware Continues to Operate 8 Months After Discovery

LoJax Malware Continues to Operate 8 Months After Discovery

The conventional wisdom with malware is that you can kill it once and for all by wiping a system and starting from scratch. However, a particularly clever piece of surveillance software tied to the Russian government appears much more resistant. Even replacing drives won’t kill LoJax, which appears to still be operating more than eight months after researchers from Arbor Networks detailed the malware.

Usually, malware becomes of little use once security experts uncover it. LoJax is almost invulnerable, though. It’s common for one piece of malicious software to include components from one or more past malware variants. However, LoJax has a unique origin that makes it incredibly tough to combat.

First detected in 2018, LoJax is a modified version of the commercial LoJack anti-theft software developed by Absolute Software. Specifically, Lojax uses a release from 2008 when the software was known as Computrace. This is a legitimate piece of software that integrates with the UEFI firmware of a computer to help the owner recover it in the event it’s stolen. Even if a thief swaps in a new hard drive, the software reasserts itself from the motherboard firmware. That’s great if you want your laptop back, but it’s also perfect for a sophisticated hacking operation.

The original Arbor Networks report on LoJax pointed the finger at Fancy Bear, a hacking group tied to Russian military intelligence (the GRU). Fancy Bear was also implicated in the firmware exploit that hit routers last year. Lojax uses most of the components from LoJack, but it connects to command-and-control servers operated by Fancy Bear. The attackers can use the tool to monitor the computer with little risk of detection.

How LoJax works, courtesy of Eset.
How LoJax works, courtesy of Eset.

Arbor Networks has analyzed new samples of the LoJax trojan that indicate it’s still active. In fact, some of the same command and control servers are in use. This indicates efforts to combat the malware have largely failed. Because of the nature of LoJax, only sophisticated users will know they’ve been infected.

The report also details several domains connected to previously known IP addresses used by the malware. Both ntpstatistics[.]com and unigymboom[.]com point to control servers that connect to infected computers. More than a dozen more IP address and domains appear to be waiting in the wings, too.

The only way to purge the malware is to wipe the hard drive and reflash the motherboard firmware. Although, it’s probably safer to just throw the hardware out. State-sponsored hackers probably have plenty more nasty tricks up their sleeves.

Continue reading

Apple’s M1 Continues to Impress in Cinebench R23, Affinity Photo
Apple’s M1 Continues to Impress in Cinebench R23, Affinity Photo

New Cinebench R23 benchmarks paint AMD in a more competitive light against the M1, but Apple's SoC still acquits itself impressively. The Affinity Photo benchmark, however, is a major M1 win.

Intel Discontinues Overclocking Warranties as Hobby Continues to Die
Intel Discontinues Overclocking Warranties as Hobby Continues to Die

Intel will no longer offer its overclocking warranty option, though customers with existing plans will still be able to use them.

MSI Expects GPU Shipments to Continue Dropping, May Raise Prices in 2021
MSI Expects GPU Shipments to Continue Dropping, May Raise Prices in 2021

During a recent investor call, MSI chairman Joseph Hsu said the company expects the supply of video cards and other in-demand gaming components will continue to drop. MSI points to dropping shipments from both Nvidia and AMD as the primary culprit, and as a result, GPU prices could increase even before they get to the resellers who are charging an arm and a leg.

Sony Expects PS5 Shortages to Continue Well Into 2022
Sony Expects PS5 Shortages to Continue Well Into 2022

The PlayStation 5 could remain difficult to find at retail well into 2022, according to remarks a Sony executive made at a closed briefing.