LoJax rootkit used by Russian-linked Fancy Bear has been silently active since 2016

Researchers question what the malware was used to accomplish before being first exposed last year

Researchers have discovered that LoJax, the malware that formed the foundation for devastating Fancy Bear attacks in 2018, has been silently active for years.

Use of this infrastructure by the Russian-linked hacking group was exposed in September 2018, just a few months after the LoJax servers were first discovered by security researchers in May.

LoJax was last year found to be incorporated as part of a Fancy Bear Unified Extensible Firmware Interface (UEFI)-based rootkit, which meant LoJax was resistant to hard drive replacements and operating system re-installs.

But a NETSCOUT team of ASERT security researchers have found that LoJax may have been alive in the wild since 2016, by tracing its fingerprint, also learning there still remains two active command and control (C2) servers.

"Continued diligence in tracking activity related to LoJax proved that the actors still maintain live C2 servers," the researchers summarised in a blog post.

"They may also have additional ongoing operations outside the 'in the wild' use reported by ESET activity. Even with all of the publicity around Lojax, Fancy Bear operations did not take the publicly disclosed servers offline.

"Because these C2 servers have a long shelf life, organizations should ensure they incorporate the IOCs [indicators of compromise] into their defensive posture. This longevity underscores the importance that LoJax C2s remain in active defense postures for longer periods of time."

The team used intelligence gathered from a known LoJax C2 server to build a network-scanning fingerprint. They used this to search for additional LoJax servers, and discovered seven in late-2018. Of these seven, two were subsequently deemed to still be active.

The researchers used DNS records to cross-reference the servers with known LoJax samples, and found the LoJax C2 server had ties to two domains, regvirt.com and elaxo.org.

NETSCOUT determined when LoJax first became active by examining domain registration information for when confirmed and suspected domains first came online. Beyond a minor flurry in 2004 and 2006, the cyber security firm detected a massive spike in late 2016.

The findings raise questions as to what the LoJax infrastructure was used to accomplish, and how successful it was before it was first publicly-exposed in 2018. Moreover, NETSCOUT says the rootkit doesn't look like an isolated incident or one-off attack aimed at a specific group of targets.

An ASERT security researcher told IT Pro the LoJax domain names were likely picked to blend in as best they can with a target organisation's network traffic, and were not necessarily mapped to an organisation's sector.

"Why an organization might be targeted varies as the priorities may shift during the course of an operation, but in general Lojax makes for a good beacon for device tracking along with executing code sent by the command and control server," they said.

"Fancy Bear remains highly active in the cyber landscape. Regardless, if the business is the primary target of the actor or not, the business may still be targeted due to their connections. Businesses should remain vigilant against cyber-attacks and in particular phishing attempts which account for the majority of network compromises."

The infamous Russian hacking group previously used the LoJax rootkit to breach and seize control of government systems in September last year. The same rootkit is also claimed to be part of a campaign run by the Sednit group against high-profile targets in Central and Eastern Europe.

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

TikTok vulnerability exposed private user data
data protection

TikTok vulnerability exposed private user data

26 Jan 2021
SonicWall hacked via zero-day flaw in remote access tools
Security

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021
Global ransom DDoS extortionists are retargeting companies
distributed denial of service (DDOS)

Global ransom DDoS extortionists are retargeting companies

22 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021