Last May, researchers published a
bombshell report documenting sophisticated malware attributed to the Russian government. The malware, dubbed "LoJax," creates a persistent backdoor that survives operating system reinstalls and hard drive replacements. On Wednesday, researchers published new findings that indicate the campaign remains active.
LoJax in May became the first known case of a real-world attack
harnessing the power of the Unified Extensible Firmware Interface boot system found in virtually all modern Windows computers. As software that bridges a PC’s firmware and its operating system, UEFI is essentially a lightweight operating system in its own right. That makes it a handy place to hide rootkits because once there a rootkit will remain in place even after an OS is reinstalled or a hard drive is replaced. LoJax gets its name from LoJack, an anti-theft product from developer Absolute Software. The rootkit is a modified version of a 2008 release of LoJack (then called Computrace). The anti-theft software achieved persistence by burrowing into the UEFI of the computer it was protecting. The design ensured that even if a thief made major changes to a computer’s hardware or software, a LoJack “small agent” would remain intact and be able to contact Absolute Software servers.
LoJax repurposes the LoJack software and exploits a key shortcoming—the lack of any means for the Absolute Software server to authenticate itself to the software. LoJax uses most of the working functionality of the legitimate anti-theft tool—a feature that long made it hard for antivirus software to detect the malware. The trojan makes modifications that cause it to connect to servers believed to be operated by Fancy Bear, a hacking group that works under the direction of the Russian government. LoJax samples first came to light in the report Netscout (previously known as Arbor Networks) published in May 2018. In September,
researchers from Eset documented LoJax samples and found at least one case in which the rootkit was successfully installed in the flash memory of a computer’s Serial Peripheral Interface. Now Netscout is
back with new research that analyzes new samples. They reveal some never-before-seen control server domains, at least two of which remain active now.
