Fancy Bear abuses LoJack security software in targeted attacks

Recently, several LoJack agents were found to be connecting to servers that are believed to be controlled by the notorious Russia-linked Fancy Bear APT group.

LoJack for laptops is a security software designed to catch computer thieves, but it could be theoretically abused to spy on legitimate owners of the device.

LoJack could be used to locate a stolen laptop, lock it or wipe its content, it is a precious application for enterprises that want to implement an additional protection of their assets.

What about an intelligence agency or nation-state actors are able to hack into such kind of software?

According to experts at Netscout Arbor Networks, recently, several LoJack agents (rpcnetp.exe) were found to be connecting to servers that are believed to be controlled by the notorious Russia-linked Fancy Bear APT group.

“ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains.” reads the report published by Netscout.

“ASERT has identified five Lojack agents (rpcnetp.exe) pointing to 4 different suspected domains.  Fancy Bear has been tied to three of the domains in the past.”

Five LoJack agents discovered by the experts were pointing to four C&C servers, three of which have been associated with past campaigns conducted by the Fancy Bear APT group.

This circumstance leads the experts into believing that nation-state hackers have installed a backdoor in certain copies of LoJack to use it as a surveillance tool, likely as a part of a cyber espionage campaign.

According to the experts, the analysis of the samples revealed that attackers haven’t added additional functionality into the binary. Researchers published yara rule to help administrators in identifying Lojack samples abused by hackers.

“The LoJack agent protects the hardcoded [command-and-control] URL using a single byte XOR key; however, according to researchers it blindly trusts the configuration content,” the report says. “Once an attacker properly modifies this value then the double-agent is ready to go.” continues the analysis.

The abuse of such kind of software for cyber espionage is very dangerous and insidious, common anti-malware products and security applications whitelist them.

“Hijacking legitimate software is a common enough tactic for malicious actors. What makes this activity so devious is the binaries hijacked being labeled as legitimate or simple “Risk Tool”, rather than malware. As a result, rogue Lojack samples fly under the radar and give attackers a stealthy backdoor into victim systems.” concluded the experts.

 

At the time of writing, the initial attack vector is still unclear.

 

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – LoJack, Fancy Bear)

[adrotate banner=”5″]

[adrotate banner=”13″]