Recently, researchers found corrupt versions of legitimate LoJack software that seems to have been secretly modified to allow hackers inside the companies that use the service.
Experts in information security commented that the domains found within the infected instances of LoJack have been previously linked to other operations carried out by APT28, a cyber-espionage group based in Russia, linked to the military intelligence of the company.
The APT28 group appears to have been spreading contaminated LoJack instances. LoJack software is an application that companies or users install on their devices that works like a beacon and allows owners to track and locate devices in case of theft.
Information security professionals at Arbor Networks said they had found LoJack applications that contained a small modification to the application’s binary pointing LoJack agent to a dishonest command and control server (C & C).
This tells us that instead of informing the central LoJack server, the LoJack agents reported and received instructions from the domains under the control of APT28.
The researchers also commented that they could not find any evidence that APT28 used LoJack to enter the victims’ systems and steal data, although it does not rule out that this has already happened.
Because of the way the LoJack agent is built, they are the perfect backdoor Trojans, the attackers have access to a piece of software that comes with a powerful built-in persistence system that allows LoJack to survive hard disk replacements and the system operative (SO) of images, also has the ability to execute any code in the target system, with the highest possible privileges.
This feature allows APT28 to download other malware, search confidential data, filter stolen data to remote servers, delete records of any intrusion device and even erase or damage infected devices.
Professionals said that since the modification of the flawed LoJack binaries is extremely small, made to a configuration file, most antivirus scanners do not distinguish these contaminated versions as malicious.
“With low AV detection, the attacker has an executable hidden from view, a double agent,” Arbor information security experts explained in a report. “The attacker only needs to stand on a dishonest C2 server that simulates LoJack’s communication protocols.”
Contaminated versions of LoJack are likely to be distributed through spear-phishing. Researchers have not yet been able to identify how APT28 distributed these contaminated LoJack binaries to targets, but believe that hackers used spear phishing emails to trick victims and thus install malicious versions of LoJack on their systems.
Information security researchers believe that APT28 could have been inspired by a 2014 Black Hat talk, when professionals explored the idea of using LoJack software as an extremely modular and persistent backdoor.