LoJax rootkit used by Russian-linked Fancy Bear has been silently active since 2016

Researchers question what the malware was used to accomplish before being first exposed last year

Researchers have discovered that LoJax, the malware that formed the foundation for devastating Fancy Bear attacks in 2018, has been silently active for years.

Use of this infrastructure by the Russian-linked hacking group was exposed in September 2018, just a few months after the LoJax servers were first discovered by security researchers in May.

LoJax was last year found to be incorporated as part of a Fancy Bear Unified Extensible Firmware Interface (UEFI)-based rootkit, which meant LoJax was resistant to hard drive replacements and operating system re-installs.

But a NETSCOUT team of ASERT security researchers have found that LoJax may have been alive in the wild since 2016, by tracing its fingerprint, also learning there still remains two active command and control (C2) servers.

"Continued diligence in tracking activity related to LoJax proved that the actors still maintain live C2 servers," the researchers summarised in a blog post.

"They may also have additional ongoing operations outside the 'in the wild' use reported by ESET activity. Even with all of the publicity around Lojax, Fancy Bear operations did not take the publicly disclosed servers offline.

"Because these C2 servers have a long shelf life, organizations should ensure they incorporate the IOCs [indicators of compromise] into their defensive posture. This longevity underscores the importance that LoJax C2s remain in active defense postures for longer periods of time."

The team used intelligence gathered from a known LoJax C2 server to build a network-scanning fingerprint. They used this to search for additional LoJax servers, and discovered seven in late-2018. Of these seven, two were subsequently deemed to still be active.

The researchers used DNS records to cross-reference the servers with known LoJax samples, and found the LoJax C2 server had ties to two domains, regvirt.com and elaxo.org.

NETSCOUT determined when LoJax first became active by examining domain registration information for when confirmed and suspected domains first came online. Beyond a minor flurry in 2004 and 2006, the cyber security firm detected a massive spike in late 2016.

The findings raise questions as to what the LoJax infrastructure was used to accomplish, and how successful it was before it was first publicly-exposed in 2018. Moreover, NETSCOUT says the rootkit doesn't look like an isolated incident or one-off attack aimed at a specific group of targets.

An ASERT security researcher told IT Pro the LoJax domain names were likely picked to blend in as best they can with a target organisation's network traffic, and were not necessarily mapped to an organisation's sector.

"Why an organization might be targeted varies as the priorities may shift during the course of an operation, but in general Lojax makes for a good beacon for device tracking along with executing code sent by the command and control server," they said.

"Fancy Bear remains highly active in the cyber landscape. Regardless, if the business is the primary target of the actor or not, the business may still be targeted due to their connections. Businesses should remain vigilant against cyber-attacks and in particular phishing attempts which account for the majority of network compromises."

The infamous Russian hacking group previously used the LoJax rootkit to breach and seize control of government systems in September last year. The same rootkit is also claimed to be part of a campaign run by the Sednit group against high-profile targets in Central and Eastern Europe.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

8 of the most secure web browsers
web browser

8 of the most secure web browsers

25 Sep 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Google removes 17 apps infected with evasive ‘Joker’ malware
malware

Google removes 17 apps infected with evasive ‘Joker’ malware

28 Sep 2020