Delaware, USA – January 18, 2019 – New research has shown that the LoJax infrastructure is still not disabled, and attacks using this malware have continued for at least two years. In early May 2018, it became known that the Fancy Bear APT group created an incredibly persistent malware based on the code of LoJack app that helps to track the location of devices in case of their theft. Last fall ESET team published a detailed report describing LoJax UEFI rootkit and the campaign it was used. It is extremely difficult to clean up an infected system from this malware, as it hides in SPI flash memory surviving even the hard disk replacing, and it is almost an impossible task to detect its activity. Each time infected machine boots, LoJax drops the cyberespionage tools from Fancy Bear arsenal. Researchers at Netscout ASERT conducted an additional analysis of this rootkit and the infrastructure related to its attacks, finding that several C&C servers are still active. The researchers also stated that LoJax campaigns started in 2016, two years before the first malware sample was detected.
The last known campaign was aimed at government entities in Europe, but there is no information on previous and ongoing campaigns. At the moment, researchers know about two active servers, but they also discovered a prepared “reserve” infrastructure that adversaries can activate at any time. To detect LoJax malware activity, you can use free rules for your security solutions: https://tdm.socprime.com/tdm/info/1433/