LoJax rootkit used by Russian-linked Fancy Bear has been silently active since 2016

Researchers question what the malware was used to accomplish before being first exposed last year

Researchers have discovered that LoJax, the malware that formed the foundation for devastating Fancy Bear attacks in 2018, has been silently active for years.

Use of this infrastructure by the Russian-linked hacking group was exposed in September 2018, just a few months after the LoJax servers were first discovered by security researchers in May.

LoJax was last year found to be incorporated as part of a Fancy Bear Unified Extensible Firmware Interface (UEFI)-based rootkit, which meant LoJax was resistant to hard drive replacements and operating system re-installs.

But a NETSCOUT team of ASERT security researchers have found that LoJax may have been alive in the wild since 2016, by tracing its fingerprint, also learning there still remains two active command and control (C2) servers.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Continued diligence in tracking activity related to LoJax proved that the actors still maintain live C2 servers," the researchers summarised in a blog post.

"They may also have additional ongoing operations outside the 'in the wild' use reported by ESET activity. Even with all of the publicity around Lojax, Fancy Bear operations did not take the publicly disclosed servers offline.

"Because these C2 servers have a long shelf life, organizations should ensure they incorporate the IOCs [indicators of compromise] into their defensive posture. This longevity underscores the importance that LoJax C2s remain in active defense postures for longer periods of time."

The team used intelligence gathered from a known LoJax C2 server to build a network-scanning fingerprint. They used this to search for additional LoJax servers, and discovered seven in late-2018. Of these seven, two were subsequently deemed to still be active.

The researchers used DNS records to cross-reference the servers with known LoJax samples, and found the LoJax C2 server had ties to two domains, regvirt.com and elaxo.org.

NETSCOUT determined when LoJax first became active by examining domain registration information for when confirmed and suspected domains first came online. Beyond a minor flurry in 2004 and 2006, the cyber security firm detected a massive spike in late 2016.

Advertisement - Article continues below

The findings raise questions as to what the LoJax infrastructure was used to accomplish, and how successful it was before it was first publicly-exposed in 2018. Moreover, NETSCOUT says the rootkit doesn't look like an isolated incident or one-off attack aimed at a specific group of targets.

An ASERT security researcher told IT Pro the LoJax domain names were likely picked to blend in as best they can with a target organisation's network traffic, and were not necessarily mapped to an organisation's sector.

"Why an organization might be targeted varies as the priorities may shift during the course of an operation, but in general Lojax makes for a good beacon for device tracking along with executing code sent by the command and control server," they said.

"Fancy Bear remains highly active in the cyber landscape. Regardless, if the business is the primary target of the actor or not, the business may still be targeted due to their connections. Businesses should remain vigilant against cyber-attacks and in particular phishing attempts which account for the majority of network compromises."

The infamous Russian hacking group previously used the LoJax rootkit to breach and seize control of government systems in September last year. The same rootkit is also claimed to be part of a campaign run by the Sednit group against high-profile targets in Central and Eastern Europe.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

23 Dec 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020