Fancy Bear Group Abused LoJack Agents in Recent Campaign

Delaware, USA – May 3, 2018 – Attackers from Fancy Bear group (aka APT28) slightly modified the legitimate application LoJack turning it into a multifunctional trojan. LoJack app is used by many companies to track the location of devices should they be stolen. Researchers from Arbor Networks discovered agents that send requests to and receive instructions from command & control servers used by Fancy Bear in previous campaigns. Changes in the software are insignificant, so most security solutions do not react to the threat in any way. LoJack app gives attackers an excellent opportunity to gain a foothold on an infected asset since its agent persists even after reinstalling the operating system or replacing the hard drive. Also, adversaries can use the agent to execute any code, download and run additional malware, steal data and remove traces of their activity. Researchers believe that Fancy Bear hasn’t started any malicious actions using this tool.

Methods of distribution are not yet determined, usually, the attackers use social engineering and spear-phishing emails. To secure your organization against this threat, you need to make sure that you have a non-hijacked LoJack version installed and block suspicious connections. Netflow Security Monitor can help you control traffic data flows in the organization’s network. Also, you can use APT Framework to detect malicious campaigns targeted your organization at various stages of the Cyber Kill Chain.