Security researchers from Arbor Networks’ ASERT lab have found that laptop recovery software LoJack appears to be used in a sophisticated, yet subtle, Russian state-sponsored attack scheme through remote code execution. The tool was created as an anti-theft program to remotely protect corporate information should computers be stolen.
Security solutions don’t flag the malware hidden in the installation as malware activity, which makes it easy for attackers to intercept the communication and get inside the computer.
Anyone with administrator privilege can use the software to locate and encrypt stolen computers, and delete information. Some devices have the tool by default.
“This is basically giving the attacker a foothold in an agency,” said in an interview with Dark Reading Richard Hummel, manager of threat research at NETSCOUT Arbor’s ASERT. “There’s no LoJack execution of files, but they could launch additional software at a later date.”
According to the report published on Tuesday, the Fancy Bear hacking group was manipulating the software to hack into a company’s network. Fancy Bear servers appear to have been communicating with a number of LoJack executables; “LoJack agents containing command and control (C2) domains likely associated with Fancy Bear operations,” reads the report.
“If they’re on a critical system or the user is someone with high privileges, then they have a direct line into the enterprise,” Hummel added, “with the permissions that LoJack requires, [the attackers] have permission to install whatever they want on the victims’ machines.”
It’s not yet clear how the malware payloads spread, but researchers believe the hackers used phishing techniques.
Fancy Bear has been widely covered in the news due to its strong association with Russian military intelligence and the attacks against the Democratic National Committee in the US.