LoJax Malware Continues to Operate 8 Months After Discovery
The conventional wisdom with malware is that you can kill it once and for all by wiping a system and starting from scratch. However, a particularly clever piece of surveillance software tied to the Russian government appears much more resistant. Even replacing drives won’t kill LoJax, which appears to still be operating more than eight months after researchers from Arbor Networks detailed the malware.
Usually, malware becomes of little use once security experts uncover it. LoJax is almost invulnerable, though. It’s common for one piece of malicious software to include components from one or more past malware variants. However, LoJax has a unique origin that makes it incredibly tough to combat.
First detected in 2018, LoJax is a modified version of the commercial LoJack anti-theft software developed by Absolute Software. Specifically, Lojax uses a release from 2008 when the software was known as Computrace. This is a legitimate piece of software that integrates with the UEFI firmware of a computer to help the owner recover it in the event it’s stolen. Even if a thief swaps in a new hard drive, the software reasserts itself from the motherboard firmware. That’s great if you want your laptop back, but it’s also perfect for a sophisticated hacking operation.
The original Arbor Networks report on LoJax pointed the finger at Fancy Bear, a hacking group tied to Russian military intelligence (the GRU). Fancy Bear was also implicated in the firmware exploit that hit routers last year. Lojax uses most of the components from LoJack, but it connects to command-and-control servers operated by Fancy Bear. The attackers can use the tool to monitor the computer with little risk of detection.
Arbor Networks has analyzed new samples of the LoJax trojan that indicate it’s still active. In fact, some of the same command and control servers are in use. This indicates efforts to combat the malware have largely failed. Because of the nature of LoJax, only sophisticated users will know they’ve been infected.
The report also details several domains connected to previously known IP addresses used by the malware. Both ntpstatistics[.]com and unigymboom[.]com point to control servers that connect to infected computers. More than a dozen more IP address and domains appear to be waiting in the wings, too.
The only way to purge the malware is to wipe the hard drive and reflash the motherboard firmware. Although, it’s probably safer to just throw the hardware out. State-sponsored hackers probably have plenty more nasty tricks up their sleeves.