Eight months after discovery, unkillable LoJax rootkit campaign remains active

By Dan Goodin

Stylized photo of desktop computer.

Last May, researchers published a bombshell report documenting sophisticated malware attributed to the Russian government. The malware, dubbed "LoJax," creates a persistent backdoor that survives operating system reinstalls and hard drive replacements. On Wednesday, researchers published new findings that indicate the campaign remains active.

LoJax in May became the first known case of a real-world attack harnessing the power of the Unified Extensible Firmware Interface boot system found in virtually all modern Windows computers. As software that bridges a PC’s firmware and its operating system, UEFI is essentially a lightweight operating system in its own right. That makes it a handy place to hide rootkits because once there a rootkit will remain in place even after an OS is reinstalled or a hard drive is replaced.

LoJack repurposed

LoJax gets its name from LoJack, an anti-theft product from developer Absolute Software. The rootkit is a modified version of a 2008 release of LoJack (then called Computrace). The anti-theft software achieved persistence by burrowing into the UEFI of the computer it was protecting. The design ensured that even if a thief made major changes to a computer’s hardware or software, a LoJack “small agent” would remain intact and be able to contact Absolute Software servers.

LoJax repurposes the LoJack software and exploits a key shortcoming—the lack of any means for the Absolute Software server to authenticate itself to the software. LoJax uses most of the working functionality of the legitimate anti-theft tool—a feature that long made it hard for antivirus software to detect the malware. The trojan makes modifications that cause it to connect to servers believed to be operated by Fancy Bear, a hacking group that works under the direction of the Russian government.

LoJax samples first came to light in the report Netscount (previously known as Arbor Networks) published in May 2018. In September, researchers from Eset documented LoJax samples and found at least one case in which the rootkit was successfully installed in the flash memory of a computer’s Serial Peripheral Interface.

Now Netscout is back with new research that analyzes new samples. They reveal some never-before-seen control server domains, at least two of which remain active now. The discovery also indicates that Fancy Bear’s LoJax started in late 2016.

“Continued diligence in tracking activity related to LoJax proved that the actors still maintain live C2 [command and control] servers and may have additional ongoing operations outside the in the wild use reported by ESET activity in September 2018, about 5 months after public reporting of LoJax,” Netscout researchers wrote. “Even with all of the publicity around Lojax, Fancy Bear operations have kept some of the originally identified C2 servers alive.”

The IP addresses that turned up in the analysis include:

  • 185.86.151[.]2
  • 169.239.128[.]133
  • 185.181.102[.]201
  • 46.21.147[.]76
  • 169.239.129[.]121
  • 46.21.147[.]71
  • 86.106.131[.]54

The first two remain active now. The same IP addresses appeared in research published in October by the UK’s National Cyber Security Center. Based on passive DNS searches of many of the IPs from that report, Netscout researchers believe they uncovered additional LoJax control server-to-domain mappings:

Netscout Researched Domain Mapping UK NCSC IP
UNKNOWN 185.86.148[.]184
moldstream[.]md 185.181.102[.]201
visualrates[.]com 169.239.129[.]121
regvirt[.]com 46.21.147[.]71
ntpstatistics[.]com 169.239.128[.]133
oiatribe[.]com 162.208.10[.]66
msfontserver[.]com 179.43.158[.]20
treckanalytics[.]com 94.177.12[.]150
unigymboom[.]com 185.86.151[.]2
sysanalyticweb[.]com 54.37.104[.]106
remotepx[.]net 85.204.124[.]77
vsnet[.]co 46.21.147[.]76
hp-apps[.]com 185.86.149[.]116
jflynci[.]com 185.86.151[.]104
peacefund[.]eu 185.183.107[.]40
elaxo[.]org 86.106.131[.]54
oiagives[.]com 162.208.10[.]66
UNKNOWN 93.113.131[.]103
webstp[.]com 185.94.191[.]65

The report went on to map specific domains to specific LoJax samples. It also provided the following recent IP-to-domain mappings, which Netscout assesses with moderate confidence are LoJax C2 domains either in use today or that were set aside for future use:

Scanner Found IP ASERT Researched Domain Mapping Last Active
185.86.151[.]2 unigymboom[.]com Current
169.239.128[.]133 ntpstatistics[.]com Current
185.181.102[.]201 moldstream[.]md Fall 2018
46.21.147[.]76 vsnet[.]co Fall 2018
169.239.129[.]121 visualrates[.]com Fall 2018

Both the ntpstatistics[.]com and unigymboom[.]com domains point to live control servers that can still be contacted by LoJax’s agents, Netscout researchers said.

The new findings suggest that the LoJax campaign remains active despite it coming to light. The above-linked Eset report provides a variety of indicators that people can use to determine if a computer is infected.