Security experts are predicting that malware with speculated links to alleged ‘Democratic National Committee Hackers Fancy Bear’ and ‘Russian cyber-espionage’ group is setting up in installations of LoJack, an anti-theft program for the computer used by many corporations to safeguard their assets.
Researchers view on the whole scenario
Researchers from Arbor network's ASERT lab, on Tuesday, had discovered "LoJack authorities responsible to operate 'Control and Command Centre' are likely to be related to Fancy Bear operations."
The simple design of LoJack makes it possible for the malicious servers to interact with the software, ASERT mentioned in their latest statement.
The LoJack agent protects the hardcoded C2 URL using a single byte XOR key; however, according to researchers it blindly trusts the configuration content. Once an attacker properly modifies this value then the double-agent is ready to go.
ALSO READ: SamSam Ransomware, Queen of Cyber-crime Prom is back with New Tactics
How malware goes undetected?
Many security programs don't detect the complex malicious codes hidden into LoJack installation process as a threat, say experts.
When the codes are executed, most of the security programs flag it as not a virus or a "Risk Tool."
This makes it easy for the malware to work in plain sight on the user's computer.
To initiate the LoJack communication protocols, the attackers just need to set-up a rogue C2 server.
Finally, LoJack’s “small agent” allows to read and write into the memory which grants it backdoor functionality remotely when incorporated with a rogue C2 server.
The attackers are only hijacking the communication protocol used by LoJack, thereby authorizing backdoor access to machines running the software.
After analyzing the malware, a researcher, Richard Hummel reported
Malware expert and ASERT’s manager, Richard Hummel, reported to Dark Reading that the malware would authorize attackers to gain control of the infected machine.
Hummel said, this is terrible news for those who were “on a critical system, or the user is someone with high privileges. With all the permissions that LoJack has access to, the attackers gain all the rights to install whatever they want on the victims’ machines.”
This is where Fancy Bear comes in.
The experts identified what the hijacked LoJack installations files were trying to do, and out of the four domains, three were traced to Fancy Bear: ikmtrust[.]com, elaxo[.]org, and lxwo[.]org.
A fourth domain, sysanalyticweb[.]com, was “only recently spotted publicly.”
However, these signs only led "ASERT" to claim absolute confidence that the developers of the malware were Fancy Bear and detailed info about the vulnerability present since 2014.
Two of these domains were associated with a flyer for NATO security conference that had been modified to cover a malicious macro involving a tool supposedly often used by Fancy Bear, was only veiled late last year.
But the third domain, which was also associated with a similarly modified NATO statement, was discovered in February 2017.
Experts linked both of these attacks to Fancy Bear.
Attackers are still to verified
While this is a big red flag, anyone could be running such domains or using them to hide who they are, also someone who might be pretending to be Fancy Bear.
As Bloomberg View’s Leonid Bershidsky has pointed out, the idea that so much malicious digital activity is explicitly tied to a handful of high-profile Russian groups tends to be overblown, and it’s hard to make a case based on known vulnerabilities or domains that could be fronts.
Curiously, Dark Reading noted, there doesn’t appear to be evidence that the malicious servers that infected LoJack installations are connecting to are doing anything but emulating the legitimate software—at least not yet.
Hummel also quoted that ASERT does not know how the malicious code hijacked the LoJack installations, though he suspects via phishing.
And despite headlines touting how “Fancy Bear is hiding in your laptop’s LoJack,” it’s unclear how far this malware could have spread.
Tips to Prevent virus and malware from Infecting Your System:
- Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for Chrome, Mozilla, and IE
- Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
- Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool
