LoJax rootkit used by Russian-linked Fancy Bear has been silently active since 2016

Researchers question what the malware was used to accomplish before being first exposed last year

Researchers have discovered that LoJax, the malware that formed the foundation for devastating Fancy Bear attacks in 2018, has been silently active for years.

Use of this infrastructure by the Russian-linked hacking group was exposed in September 2018, just a few months after the LoJax servers were first discovered by security researchers in May.

LoJax was last year found to be incorporated as part of a Fancy Bear Unified Extensible Firmware Interface (UEFI)-based rootkit, which meant LoJax was resistant to hard drive replacements and operating system re-installs.

But a NETSCOUT team of ASERT security researchers have found that LoJax may have been alive in the wild since 2016, by tracing its fingerprint, also learning there still remains two active command and control (C2) servers.

Advertisement
Advertisement - Article continues below

"Continued diligence in tracking activity related to LoJax proved that the actors still maintain live C2 servers," the researchers summarised in a blog post.

"They may also have additional ongoing operations outside the 'in the wild' use reported by ESET activity. Even with all of the publicity around Lojax, Fancy Bear operations did not take the publicly disclosed servers offline.

"Because these C2 servers have a long shelf life, organizations should ensure they incorporate the IOCs [indicators of compromise] into their defensive posture. This longevity underscores the importance that LoJax C2s remain in active defense postures for longer periods of time."

The team used intelligence gathered from a known LoJax C2 server to build a network-scanning fingerprint. They used this to search for additional LoJax servers, and discovered seven in late-2018. Of these seven, two were subsequently deemed to still be active.

The researchers used DNS records to cross-reference the servers with known LoJax samples, and found the LoJax C2 server had ties to two domains, regvirt.com and elaxo.org.

NETSCOUT determined when LoJax first became active by examining domain registration information for when confirmed and suspected domains first came online. Beyond a minor flurry in 2004 and 2006, the cyber security firm detected a massive spike in late 2016.

The findings raise questions as to what the LoJax infrastructure was used to accomplish, and how successful it was before it was first publicly-exposed in 2018. Moreover, NETSCOUT says the rootkit doesn't look like an isolated incident or one-off attack aimed at a specific group of targets.

An ASERT security researcher told IT Pro the LoJax domain names were likely picked to blend in as best they can with a target organisation's network traffic, and were not necessarily mapped to an organisation's sector.

"Why an organization might be targeted varies as the priorities may shift during the course of an operation, but in general Lojax makes for a good beacon for device tracking along with executing code sent by the command and control server," they said.

"Fancy Bear remains highly active in the cyber landscape. Regardless, if the business is the primary target of the actor or not, the business may still be targeted due to their connections. Businesses should remain vigilant against cyber-attacks and in particular phishing attempts which account for the majority of network compromises."

Advertisement
Advertisement - Article continues below

The infamous Russian hacking group previously used the LoJax rootkit to breach and seize control of government systems in September last year. The same rootkit is also claimed to be part of a campaign run by the Sednit group against high-profile targets in Central and Eastern Europe.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

8 Mar 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019