LoJax Malware Continues to Operate 8 Months After Discovery

LoJax Malware Continues to Operate 8 Months After Discovery

The conventional wisdom with malware is that you can kill it once and for all by wiping a system and starting from scratch. However, a particularly clever piece of surveillance software tied to the Russian government appears much more resistant. Even replacing drives won’t kill LoJax, which appears to still be operating more than eight months after researchers from Arbor Networks detailed the malware.

Usually, malware becomes of little use once security experts uncover it. LoJax is almost invulnerable, though. It’s common for one piece of malicious software to include components from one or more past malware variants. However, LoJax has a unique origin that makes it incredibly tough to combat.

First detected in 2018, LoJax is a modified version of the commercial LoJack anti-theft software developed by Absolute Software. Specifically, Lojax uses a release from 2008 when the software was known as Computrace. This is a legitimate piece of software that integrates with the UEFI firmware of a computer to help the owner recover it in the event it’s stolen. Even if a thief swaps in a new hard drive, the software reasserts itself from the motherboard firmware. That’s great if you want your laptop back, but it’s also perfect for a sophisticated hacking operation.

The original Arbor Networks report on LoJax pointed the finger at Fancy Bear, a hacking group tied to Russian military intelligence (the GRU). Fancy Bear was also implicated in the firmware exploit that hit routers last year. Lojax uses most of the components from LoJack, but it connects to command-and-control servers operated by Fancy Bear. The attackers can use the tool to monitor the computer with little risk of detection.

How LoJax works, courtesy of Eset.
How LoJax works, courtesy of Eset.

Arbor Networks has analyzed new samples of the LoJax trojan that indicate it’s still active. In fact, some of the same command and control servers are in use. This indicates efforts to combat the malware have largely failed. Because of the nature of LoJax, only sophisticated users will know they’ve been infected.

The report also details several domains connected to previously known IP addresses used by the malware. Both ntpstatistics[.]com and unigymboom[.]com point to control servers that connect to infected computers. More than a dozen more IP address and domains appear to be waiting in the wings, too.

The only way to purge the malware is to wipe the hard drive and reflash the motherboard firmware. Although, it’s probably safer to just throw the hardware out. State-sponsored hackers probably have plenty more nasty tricks up their sleeves.

Continue reading

Malware Masquerading as Android 2FA App Infected 10,000 Phones Before Removal
Malware Masquerading as Android 2FA App Infected 10,000 Phones Before Removal

Known simply as 2FA Authenticator, the app picked up more than 10,000 installs until security researchers identified it as a vehicle for trojan-dropper malware.

Clever Malware Masquerades as Windows 11 Installer
Clever Malware Masquerades as Windows 11 Installer

A Russian website disguised as an official Microsoft page is distributing an "upgrade installer" that won't get you Windows 11. What it will get you is a bunch of malware.

Researchers Devise Malware That Runs When an iPhone is Powered Off
Researchers Devise Malware That Runs When an iPhone is Powered Off

The iPhone's low-power mode allows users to access Express cards and locate lost devices even when the phone is turned off—but it also presents a concerning security vulnerability.

Google Warns of Sophisticated Malware Distributed With The Help of ISPs
Google Warns of Sophisticated Malware Distributed With The Help of ISPs

According to Google's Threat Analysis Group (TAG), this spyware was developed by an Italian company called RCS Labs. The firm claims to be on the right side of the law, but that doesn't change the fact its software is being used to breach user privacy.