LoJax malware used by Fancy Bear threat actor group was active since 2016
- The researchers used DNS records to cross-reference the servers with known LoJax samples.
- Two domains - regvirt[.]com and elaxo[.]org were found to be still tied up with LoJax malware.
Researchers have discovered that LoJax, the first-ever UEFI malware that formed the base for most of the devastating Fancy Bear attacks in 2018, has been silently active for years. The findings reveal that two command and control servers used by LoJax are still being operated by hackers.
Lojack modified to Lojax
Discovered for the first time in May last year, the LoJax rootkit gets its name from LoJack, an anti-theft product. The product was modified in such a way that the end outcome was a firmware-based malware which could run on all operating systems while evading detection from antivirus tools.
By analyzing the activity on various domains used by Fancy Bear and LoJax, researchers at Netscout have come to a conclusion that the infection had started two years before they released it publicly.
The team constructed a network scanning fingerprint to monitor the activity of the malware. They used this to search additional LoJax servers and discovered seven in late 2018. Of these, two are deemed to be still active.
"Based on the ongoing infrastructure analysis, ASERT assesses with moderate confidence that the Fancy Bear LoJax operation started in late 2016," said the NetScout researchers in a blog post.
The researchers used DNS records to cross-reference the servers with known LoJax samples and found that it ties to two domains - regvirt.com and elaxo.org.
“The fact that C2 servers were still alive and had been reported back in September 2018, speaks to the necessity of making sure that organizations use the reported IoCs in their defensive operations, and underscores the importance of making sure they are not aged out of active defense operations too soon," researchers explained.
The findings paint a much broader and more complex picture of the LoJax malware. It appears that the malware has been running for quite some time infecting machines across the globe.