Russia-linked cyberespionage group Fancy Bear is believed to be behind malware uncovered in malicious command and control (C2) servers found in the legitimate anti-theft software Lojack. The infamous APT group has been widely linked to the cyberattack targeting the Democratic National Committee (DNC) in 2016.
Lojack, also known as Computrace, is a popular computer-tracing software used by organizations to protect their physical assets such as laptops, tablets and mobile phones in case they are stolen or misplaced. The software itself includes multiple useful features including the ability to remotely locate and lock the device, as well as delete files.
According to the Arbor Networks' Security Engineering & Response Team (ASERT), the widely used software "makes an excellent double-agent due to appearing as legit software while natively allowing remote code execution." Initially, the malware present was not flagged by many antivirus programs, allowing it to sneakily carry out its work undetected.
“Low Anti-Virus detection of the LoJack agents containing rogue C2 increases the probability of infection and subsequent successful C2 communication,” researchers noted. “The attackers are merely hijacking the communication used by Lojack, thereby granting themselves backdoor access to machines running the software.”
Researchers identified five modified LoJack agents (rpcnetp.exe) linked to four suspicious C2 domains, three of which have been previously linked to Fancy Bear. The Lojack agent protects the hardcorded C2 using a single byte XOR key, researchers explained. However, this feature "blindly trusts the configuration content."
A sophisticated threat actor can modify this value to make the software communicate with a malicious domain - a change that would go undetected by antivirus software.
Researchers Vitaliy Kamlyuk, Sergey Belov and Anibal Sacco presented research on this weakness at the Black Hat conference in 2014, suggesting that attackers may exploit as a backdoor in campaigns to gain foothold and persistence in systems running the software.
ASERT researchers have claimed with "moderate confidence" that the threat actors behind the malware are likely Fancy Bear. Jigsaw Security researchers previously traced the elaxo[.]org and ikmtrust[.]com domains as well as the Sedupload tool to a Fancy Bear operation. Meanwhile, Threat Intel Recon also linked the domain Ixwo[.]org to FancyBear. More recently, Lojack samples linked to the fourth domain sysanalyticweb[.]com was spotted in the wild in April 2018.
Although the malware's distribution mechanism is still unknown, Arbor researchers noted that Fancy Bear has been known to use phishing to deliver its malicious payloads.
The exploitation of legitimate software tools as a backdoor is a common tactic for cybercriminals, allowing them to sneak past the radar undetected by most antivirus software programs that list it as as a "risk tool" rather than a malicious malware. However, the level of stealth and persistence leveraged by sophisticated threat actors to infiltrate an enterprise using popular, legitimate tools as highlighted in this case does raise concerns.
ASERT researchers have recommended scanning for rogue Lojack agents using the Yara signature to find the malicious string and block the domains.