Lojack Becomes a Double-Agent
(May 1, 2018)
ASERT researchers have discovered that an anti-theft software tool called “Lojack for Laptops,” is being used for malicious purposes by the Russian state-sponsored Advanced Persistent Threat group “APT28” (Fancy Bear, Pawn Storm). Researchers identified that the software was being used by APT28 actors when hijacked Lojack agents were observed pointing to domains known to be associated with the group. APT28 is using the hijacked Lojak agents to disguise their malicious activity to appear to originate from a legitimate source. At the time of this writing it is unknown how APT28 is initially infecting a target, however, it is known that APT28’s primary infection is typically spear phishing emails.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing, and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.