Russian hacking organization APT28 allegedly hijacked LoJack software to steal data

Security Researcher at Arbor Networks Inc., a provider of network security and management solutions, has found that legitimate anti-theft/recovery software LoJack seems to have been secretly modified to allow hackers to lurk in corporate networks to perform malicious activities. The researchers said that the domain name found in the infected LoJack instance appears to be related to other previous hacking actions by the Russian hacking organization APT28.

Absolute LoJack is the only persistent security solution that can track and recover stolen devices, while providing features that protect your personal information.

The researchers found that the LoJack application binary was manipulated and directed the LoJack agent to the malicious Command and Control (C&C) server. This meant that the information LoJack originally sent to the LoJack center server was sent to the hacking organization APT28. Control the server and receive instructions from that server.

Given the way the LoJack agent is constructed, an attacker can access software with a built-in continuous system that not only allows LoJack to be unaffected by system reloading and hard disk replacement but also executes arbitrary code on the target system with the highest privileges. The ability to execute arbitrary code allows APT28 operators to download other malware, search for sensitive data, leak stolen data to remote servers, clear logs, and even corrupt infected computers.

If you only slightly modify the LoJack binary (for example, only modify a configuration file), most anti-virus software cannot define these infected versions as malicious software.

The researchers said that because of the low anti-virus detection rate, the attacker can openly hide the executable file, and the attacker only needs to deploy a C&C server that can simulate the LoJack communication protocol.

The researchers stated that they did not find evidence to prove that APT28 used LoJack to invade the victim system and steal data, but they still insisted on this possibility, and believe that hackers used spear-phishing emails to trick victims into installing malicious LoJack versions into the system.

Researchers believe that APT28 may be inspired by the Black Hat 2014 Conference before using LoJack software as a durable modular back door.