Security researchers are warning that malware with suspected links to Russian cyber-espionage group and alleged Democratic National Committee hackers Fancy Bear is turning up in installations of Lojack, an anti-computer theft program used by many corporations to guard their assets.
A photo of a Fancy Bear page in 2016. Photo: AP
Yesterday, researchers with Arbor Networks’ ASERT lab said in a new report that they had discovered “LoJack agents containing command and control (C2) domains likely associated with Fancy Bear operations”. Due to the way Lojack was designed, it is apparently easy to make the software interact with malicious servers instead of legitimate ones, ASERT wrote:
The Lojack agent protects the hardcoded C2 URL using a single byte XOR key; however, according to researchers it blindly trusts the configuration content. Once an attacker properly modifies this value then the double-agent is ready to go.
The researchers added that many antivirus software packages don’t detect the malicious executable sneaked into Lojack installations as a problem at all, and when they do, many flag it as not a virus or a “Risk Tool”. With the executable hiding in plain sight on the user’s computer, the rest of the work is easy:
The attacker simply needs to stand up a rogue C2 server that simulates the Lojack communication protocols. Finally, Lojack’s “small agent” allows for memory reads and writes which grant it remote backdoor functionality when coupled with a rogue C2 server … The attackers are merely hijacking the communication used by Lojack, thereby granting themselves backdoor access to machines running the software.
ASERT’s manager of threat research, Richard Hummel, told Dark Reading that the malware would allow attackers to seize control of the infected machine – which would be bad news if they were “on a critical system or the user is someone with high privileges …. with the permissions that LoJack requires, [the attackers] have permission to install whatever they want on the victims’ machines,” Hummel said.
That’s where Fancy Bear comes in. The researchers identified where the hijacked Lojack installations were trying to ping, and of the four domains, three were previously traced to Fancy Bear: elaxo.org, ikmtrust.com and lxwo.org. A fourth domain, sysanalyticweb.com, was “only recently spotted in the wild”.
However, these clues only led ASERT to claim “moderate confidence” that the designers of the malware were, in fact, Fancy Bear, and detailed knowledge of the vulnerability has been floating around since 2014.
Two of the domains, associated with a flyer for a NATO security conference that had been modified to include a malicious macro involving a tool allegedly often used by Fancy Bear, were only veiled late last year. But the third domain, which was also associated with a similarly modified NATO statement, was discovered in February 2017. Researchers tied both of those attacks to Fancy Bear.
So, while that’s a big red flag, anyone could be running those domains or using them to obfuscate who they are, including someone who wanted to look like Fancy Bear. As Bloomberg View‘s Leonid Bershidsky has pointed out, the idea that so much nefarious digital activity is specifically tied to a handful of high-profile Russian groups tends to be overblown, and it’s hard to make a case based on known vulnerabilities or domains that could be fronts.
Curiously, Dark Reading noted, there doesn’t appear to be evidence that the malicious servers the infected Lojack installations are connecting to are doing anything but emulating the legitimate software – at least not yet. Hummel also told the site that ASERT does not know how the malicious code made it into the Lojack installations, though he suspects phishing.
And despite headlines touting how “Fancy Bear is hiding in your laptop’s Lojack“, it’s unclear how far this malware could have spread.
CalAmp, Lojack’s parent company, did not immediately respond to a request for comment on ASERT’s findings.