Researchers Find Malware That Hijacks Anti-Theft Software Lojack

By Nitish Singh / May 3, 2018

Security researchers with Arbor Networks’ ASERT Lab filed a report stating they have discovered LoJack agents containing command and control domains that are likely to be associated with Fancy Bear operations. Due to the way the software is designed, it makes the software interact with malicious servers instead of legitimate ones.

The LoJack agent protects its C2 URLs using single byte XOR keys. However, according to the researchers from ASERT Lab the app blindly trusts the configuration content. Once an attacker modifies the value of the XOR keys, the malicious double agent becomes active.

Fancy Bear

Image Courtesy of Defense One

Many anti-virus software packages did not detect the malicious executable that was sneaked into LoJack installations and even if they did, they marked it as a “Risk Tool” instead of a virus. With the executable able to hide in plain sight, malicious code can easily be used to grant remote backdoor functionality to hackers.

The researchers have identified that the hijacked Lojack installations were trying to ping four domains, of which three of them were previously traced to Fancy Bear. This led the research team to conclude with “moderate confidence” that the designers of the malware are in fact Fancy Bear. They also reported the vulnerability has been floating around since 2014.

However, anyone could be running those domains while pretending to look like Fancy Bear. According to Leonid Bershisky of Bloomberg View, the idea that all nefarious digital activity is tied to a handful of high-profile individuals is overblown. It is hard to make a case based on known vulnerabilities or domains which could be used as fronts.

It has been noted that there doesn’t appear to be any evidence that the malicious servers the installations are connecting to are doing anything but emulating legitimate software. The ASERT team does not know yet how the malicious code made it into the installations and it is unclear how the malware has spread to the software.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: