APT 28

Security researchers have found tainted versions of the legitimate LoJack software that appeared to have been sneakily modified to allow hackers inside companies that use it.

Researchers say domains found inside the tainted LoJack instances have been previously tied to other hacking operations carried out by APT28, a codename used to describe a nation-state-backed cyber-espionage group located in Russia, with ties to the company's military intelligence.

APT28 has been spreading tainted LoJack instances

The software used in this operation is LoJack, an app that companies or lone users install on their devices (laptops, tablets, smartphones) that works as a beacon and allows owners to track and locate devices in case of theft.

Researchers at Arbor Networks said they've found modified LoJack apps that contained a small modification in the app's binary pointing the LoJack agent to a rogue command-and-control (C&C) server.

This means that instead of reporting to the central LoJack server, the LoJack agents reported to, and received instructions from, domains under APT28's control.

Arbor experts said they weren't able to find any evidence that APT28 used LoJack to enter into victims' systems and steal data, albeit it doesn't completely rule out this scenario from having happened by now.

LoJack agents are the perfect backdoor trojans

Because of the way the LoJack agent is built, attackers have access to a powerful piece of software that comes with a potent built-in persistence system that allows LoJack to survive hard drive replacements and operating system (OS) re-imaging, but also with the ability to execute any code on the target's system, with the highest privileges possible.

This latter feature would allow APT28 operators to download other malware, search sensitive data, exfiltrate stolen data to remote servers, clean logs of any intrusion artifacts, and even wipe or damage infected PCs.

Because the modification to tainted LoJack binaries is extremely small and insignificant —made to a configuration file— most antivirus scanners don't pick these tainted versions as malicious.

"With low AV detection, the attacker now has an executable hiding in plain sight, a double-agent," Arbor experts explained in a technical write-up. "The attacker simply needs to stand up a rogue C2 server that simulates the Lojack communication protocols."

Tainted LoJack versions most likely spread via spear-phishing

Arbor wasn't able to identify how APT28 distributed these tainted LoJack binaries to targets, but they believe hackers used spear-phishing emails —like most of their ops— to trick victims into installing the malicious LoJack versions on their systems.

Researchers also believe that APT28 might have been inspired by a Black Hat talk from 2014 [PDF] when security researchers explored the idea of using the LoJack software —popular at the time— as an extremely persistence and modular backdoor.

The LoJack software is a product of Computrace, a company specialized in creating surveillance software. Back in 2010, the company was at the center of a media controversy when it was discovered that a Pennsylvania school district installed one of its spyware-like apps —named LANrev— on student-issued laptops, allowing school officials to spy on children in their homes.

Related Articles:

InvisiMole Is a Complex Spyware That Can Take Pictures and Record Audio

Sofacy APT Has Subtly Changed Tactics

FBI Takes Control of APT28's VPNFilter Botnet

US Charges 12 Russian Intelligence Officers for Hacking DNC, Running DCLeaks

Hamas Lures Israeli Soldiers to Malware Disguised in World Cup and Dating Apps