Eight months after discovery, unkillable LoJax rootkit campaign remains active
Last May, researchers published a bombshell report documenting sophisticated malware attributed to the Russian government. The malware, dubbed “LoJax,” creates a persistent backdoor that survives operating system reinstalls and hard drive replacements. On Wednesday, researchers published new findings that indicate the campaign remains active.
LoJax in May became the first known case of a real-world attack harnessing the power of the Unified Extensible Firmware Interface boot system found in virtually all modern Windows computers. As software that bridges a PC’s firmware and its operating system, UEFI is essentially a lightweight operating system in its own right. That makes it a handy place to hide rootkits because once there a rootkit will remain in place even after an OS is reinstalled or a hard drive is replaced.
LoJack repurposed
LoJax gets its name from LoJack, an anti-theft product from developer Absolute Software. The rootkit is a modified version of a 2008 release of LoJack (then called Computrace). The anti-theft software achieved persistence by burrowing into the UEFI of the computer it was protecting. The design ensured that even if a thief made major changes to a computer’s hardware or software, a LoJack “small agent” would remain intact and be able to contact Absolute Software servers.
LoJax repurposes the LoJack software and exploits a key shortcoming—the lack of any means for the Absolute Software server to authenticate itself to the software. LoJax uses most of the working functionality of the legitimate anti-theft tool—a feature that long made it hard for antivirus software to detect the malware. The trojan makes modifications that cause it to connect to servers believed to be operated by Fancy Bear, a hacking group that works under the direction of the Russian government.
LoJax samples first came to light in the report Arbor Networks published in May 2018. In September, researchers from Eset documented LoJax samples and found at least one case in which the rootkit was successfully installed in the flash memory of a computer’s Serial Peripheral Interface.
Now Arbor is back with new research that analyzes new samples. They reveal some never-before-seen control server domains, at least two of which remain active now. The discovery also indicates that Fancy Bear’s LoJax started in late 2016.
“Continued diligence in tracking activity related to LoJax proved that the actors still maintain live C2 [command and control] servers and may have additional ongoing operations outside the in the wild use reported by ESET activity in September 2018, about 5 months after public reporting of LoJax,” Arbor researchers wrote. “Even with all of the publicity around Lojax, Fancy Bear operations have kept some of the originally identified C2 servers alive.”
The IP addresses turned up in the analysis include:
- 185.86.151[.]2
- 169.239.128[.]133
- 185.181.102[.]201
- 46.21.147[.]76
- 169.239.129[.]121
- 46.21.147[.]71
- 86.106.131[.]54
The first two remain active now. The same IP addresses appeared in research published in October by the UK’s National Cyber Security Center. Based on passive DNS searches of many of the IPs from that report, Arbor researchers believe they uncovered additional LoJax control server-to-domain mappings:
| Arbor Researched Domain Mapping | UK NCSC IP |
|---|---|
| UNKNOWN | 185.86.148[.]184 |
| moldstream[.]md | 185.181.102[.]201 |
| visualrates[.]com | 169.239.129[.]121 |
| regvirt[.]com | 46.21.147[.]71 |
| ntpstatistics[.]com | 169.239.128[.]133 |
| oiatribe[.]com | 162.208.10[.]66 |
| msfontserver[.]com | 179.43.158[.]20 |
| treckanalytics[.]com | 94.177.12[.]150 |
| unigymboom[.]com | 185.86.151[.]2 |
| sysanalyticweb[.]com | 54.37.104[.]106 |
| remotepx[.]net | 85.204.124[.]77 |
| vsnet[.]co | 46.21.147[.]76 |
| hp-apps[.]com | 185.86.149[.]116 |
| jflynci[.]com | 185.86.151[.]104 |
| peacefund[.]eu | 185.183.107[.]40 |
| elaxo[.]org | 86.106.131[.]54 |
| oiagives[.]com | 162.208.10[.]66 |
| UNKNOWN | 93.113.131[.]103 |
| webstp[.]com | 185.94.191[.]65 |
The report went on to map specific domains to specific LoJax samples. It also provided the following recent IP-to-domain mappings, which Arbor assesses with moderate confidence are LoJax C2 domains either in use today or that were set aside for future use:
| Scanner Found IP | ASERT Researched Domain Mapping | Last Active |
|---|---|---|
| 185.86.151[.]2 | unigymboom[.]com | Current |
| 169.239.128[.]133 | ntpstatistics[.]com | Current |
| 185.181.102[.]201 | moldstream[.]md | Fall 2018 |
| 46.21.147[.]76 | vsnet[.]co | Fall 2018 |
| 169.239.129[.]121 | visualrates[.]com | Fall 2018 |
Both the ntpstatistics[.]com and unigymboom[.]com domains point to live control servers that can still be contacted by LoJax’s agents, Arbor researchers said.
The new findings suggest that the LoJax campaign remains active despite it coming to light. The above-linked Eset report provides a variety of indicators that people can use to determine if a computer is infected.
