LoJax rootkit used by Russian-linked Fancy Bear has been silently active since 2016

Researchers question what the malware was used to accomplish before being first exposed last year

Researchers have discovered that LoJax, the malware that formed the foundation for devastating Fancy Bear attacks in 2018, has been silently active for years.

Use of this infrastructure by the Russian-linked hacking group was exposed in September 2018, just a few months after the LoJax servers were first discovered by security researchers in May.

LoJax was last year found to be incorporated as part of a Fancy Bear Unified Extensible Firmware Interface (UEFI)-based rootkit, which meant LoJax was resistant to hard drive replacements and operating system re-installs.

But a NETSCOUT team of ASERT security researchers have found that LoJax may have been alive in the wild since 2016, by tracing its fingerprint, also learning there still remains two active command and control (C2) servers.

"Continued diligence in tracking activity related to LoJax proved that the actors still maintain live C2 servers," the researchers summarised in a blog post.

"They may also have additional ongoing operations outside the 'in the wild' use reported by ESET activity. Even with all of the publicity around Lojax, Fancy Bear operations did not take the publicly disclosed servers offline.

"Because these C2 servers have a long shelf life, organizations should ensure they incorporate the IOCs [indicators of compromise] into their defensive posture. This longevity underscores the importance that LoJax C2s remain in active defense postures for longer periods of time."

The team used intelligence gathered from a known LoJax C2 server to build a network-scanning fingerprint. They used this to search for additional LoJax servers, and discovered seven in late-2018. Of these seven, two were subsequently deemed to still be active.

The researchers used DNS records to cross-reference the servers with known LoJax samples, and found the LoJax C2 server had ties to two domains, regvirt.com and elaxo.org.

NETSCOUT determined when LoJax first became active by examining domain registration information for when confirmed and suspected domains first came online. Beyond a minor flurry in 2004 and 2006, the cyber security firm detected a massive spike in late 2016.

The findings raise questions as to what the LoJax infrastructure was used to accomplish, and how successful it was before it was first publicly-exposed in 2018. Moreover, NETSCOUT says the rootkit doesn't look like an isolated incident or one-off attack aimed at a specific group of targets.

An ASERT security researcher told IT Pro the LoJax domain names were likely picked to blend in as best they can with a target organisation's network traffic, and were not necessarily mapped to an organisation's sector.

"Why an organization might be targeted varies as the priorities may shift during the course of an operation, but in general Lojax makes for a good beacon for device tracking along with executing code sent by the command and control server," they said.

"Fancy Bear remains highly active in the cyber landscape. Regardless, if the business is the primary target of the actor or not, the business may still be targeted due to their connections. Businesses should remain vigilant against cyber-attacks and in particular phishing attempts which account for the majority of network compromises."

The infamous Russian hacking group previously used the LoJax rootkit to breach and seize control of government systems in September last year. The same rootkit is also claimed to be part of a campaign run by the Sednit group against high-profile targets in Central and Eastern Europe.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
PayPal dismisses $45 billion Pinterest takeover as "market rumour"
Acquisition

PayPal dismisses $45 billion Pinterest takeover as "market rumour"

25 Oct 2021