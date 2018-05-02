LoJack software, designed to rat on computer thieves, appears to be serving a double purpose by also working with a Russian state-sponsored hacking team.

Several LoJack executables have been found to be communicating with unexpected domains that are suspected to be under the control of Fancy Bear, a hacking group associated with Russia's GRU military intelligence agency.

In a report published on Tuesday, security researchers from Netscout's Arbor Networks said they have found five LoJack agents (rpcnetp.exe) that point to four suspicious command-and-control domains, three of which have been associated with Fancy Bear in the past.

"Our analysis has revealed a small number of modified agents," said Hardik Modi, director of Arbor's Security Engineering & Response Team (ASERT), in an email to The Register. "This is consistent with a targeted operation. We're cooperating with numerous parties on this matter."

The finding is troubling because LoJack's software, in its anti-theft capacity, is designed to operate discreetly and to remain on systems where it has been installed even after hard drive replacement and system re-imaging.

The low-level access enjoyed by security applications, and the high-level of trust afforded to them, make programs like LoJack appealing targets for subversion.

ASERT observes that many anti-virus vendors mark LoJack executables as "not-a-virus" or "Risk Tool" rather than flagging them as potential malware.

Russian hackers previously used Kaspersky Lab's security software for similar ends.

Though designed to protect laptops from theft, LoJack implements only minimal security to safeguard its own data.

"The LoJack agent protects the hardcoded [command-and-control] URL using a single byte XOR key; however, according to researchers it blindly trusts the configuration content," the report says. "Once an attacker properly modifies this value then the double-agent is ready to go."

This weakness was raised in security research presented at the Black Hat conference in 2014.

At the time, researchers Vitaliy Kamlyuk, Sergey Belov and Anibal Sacco said that it would be easy to alter the registry configuration block, where the command-and-control URL is stored, to make the software communicate with a malicious domain.

ASERT said while it wasn't sure about the initial attack vector, Fancy Bear in the past has used phishing messages to deliver malware.

In statement emailed to The Register, a spokesperson for Absolute Software said the company was aware of the Arbor Networks report.

"We have spoken to Arbor regarding the claims in this report and are investigating this matter internally," a company spokesperson said. "At this time, we do not believe that this has impacted any customers or partners, but are taking every precaution to ensure any concerns are promptly addressed.” ®

