Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Russia-linked Hackers Exploit Lojack Recovery Tool in Attacks

Recently discovered “Lojack” agents containing malicious command and control (C&C) servers point to the Russian cyber-espionage group Sofacy, according to NETSCOUT Arbor.

Recently discovered “Lojack” agents containing malicious command and control (C&C) servers point to the Russian cyber-espionage group Sofacy, according to NETSCOUT Arbor.

Previously known as Computrace, Lojack is a legitimate laptop recovery solution used by companies looking to protect assets should they be lost or stolen. It can be used to locate and lock devices remotely, as well as to delete files.

Lojack represents a great double-agent because it is usually considered legitimate software but also allows for remote code execution, NETSCOUT Arbor’s Security Engineering and Research Team (ASERT) points out. Moreover, the tool can survive hard drive replacements and operating system re-imaging.

Many of the anti-virus vendors in VirusTotal don’t flag the Lojack executable as malicious, but rather consider it as “not-a-virus” or “Risk Tool.” Additionally, with binary modification of the “small agent” considered trivial, it’s clear that attackers would consider the tool a viable target.

“With low AV detection, the attacker now has an executable hiding in plain sight, a double-agent. The attacker simply needs to stand up a rogue C&C server that simulates the Lojack communication protocols. Finally, Lojack’s ‘small agent’ allows for memory reads and writes which grant it remote backdoor functionality when coupled with a rogue C&C server,” ASERT notes.

The ASERT security researchers observed five Lojack agents that were pointing to four different suspected domains, three of which have been tied to Sofacy.

Also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the threat actor is believed to have targeted the 2016 U.S. presidential election, as well as Ukraine and NATO countries. In fact, the group heavily targeted NATO in early 2017, including with zero-day exploits. The group was also observed shifting focus towards the Middle East and Central Asia last year.

In March 2018, a security researcher revealed that Sofacy attacks overlap with other state-sponsored operations, after the group’s Zerbrocy malware was found on machines compromised by Mosquito, a backdoor associated with the Turla threat actor.

“ASERT assesses with moderate confidence that the rogue Lojack agents are attributed to Fancy Bear based on shared infrastructure with previous operations,” the security researchers say.

Only the presence of a rogue C&C makes the samples malicious, as attackers are merely hijacking the communication used by Lojack, the researchers say. Several of the domains extracted from the rogue agents trace back to Sofacy operations: elaxo[.]org, ikmtrust[.]com, and lxwo[.]org (tied to the group last year), and sysanalyticweb[.]com (spotted only recently).

Although the hijack of the software for malicious purposes is a publicly known tactic, similarities in the binary comparisons and infrastructure analysis increase the possibility that the same actor was behind them.

The domains are associated with the same Lojack agent utilizing the same compile time, contain nonsensical Registrant information (the same information found in multiple fields), a similar nonsensical word used in the Registrant Name field is also used for the Registrant Organization (the field is often skipped, but this actor regularly utilizes both fields).

“Hijacking legitimate software is a common enough tactic for malicious actors. What makes this activity so devious is the binaries hijacked being labeled as legitimate or simple ‘Risk Tool’, rather than malware. As a result, rogue Lojack samples fly under the radar and give attackers a stealthy backdoor into victim systems,” ASERT concludes.

Related: Researchers Dissect Tool Used by Infamous Russian Hacker Group

Related: Sofacy Attacks Overlap With Other State-Sponsored Operations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Endpoint Security

The Zero Day Dilemma

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...