Security researchers have found tainted versions of the legitimate
LoJack software that appeared to have been sneakily modified to allow hackers inside companies that use it.
Researchers say domains found inside the tainted LoJack instances have been previously tied to other hacking operations carried out by APT28, a codename used to describe a nation-state-backed cyber-espionage group located in Russia, with ties to the company's military intelligence.
APT28 has been spreading tainted LoJack instances
The software used in this operation is LoJack, an app that companies or lone users install on their devices (laptops, tablets, smartphones) that works as a beacon and allows owners to track and locate devices in case of theft.
Researchers at Arbor Networks said they've found modified LoJack apps that contained a small modification in the app's binary pointing the LoJack agent to a rogue command-and-control (C&C) server.
This means that instead of reporting to the central LoJack server, the LoJack agents reported to, and received instructions from, domains under APT28's control.
Arbor experts said they weren't able to find any evidence that APT28 used LoJack to enter into victims' systems and steal data, albeit it doesn't completely rule out this scenario from having happened by now.
LoJack agents are the perfect backdoor trojans
Because of the way the LoJack agent is built, attackers have access to a powerful piece of software that comes with a potent built-in persistence system that allows LoJack to survive hard drive replacements and operating system (OS) re-imaging, but also with the ability to execute any code on the target's system, with the highest privileges possible.
.... .... ....