Lowjax city: Researchers crack open notorious Fancy Bear rootkit

UEFI malware has been in the wild for more than two years

bear

The Fancy Bear hacking group's Lojax rootkit is far from a one-off tool, and may have been active in the wild for years before it was first reported.

This is according to an analysis from Netscout's ASERT team, which took a deep dive into not only the malware itself, but also its command-and-control network and associated domains.

Spotted in May of last year, the Lojax rootkit takes portions of the LoJack anti-theft system and replaces them with surveillance and monitoring components. The result is a firmware-based malware that runs at a level the OS and traditional antivirus tools cannot touch.

By analysing the activity on the various domains associated with Fancy Bear and Lojax, researchers now believe that the infection kicked off nearly two years before researchers revealed it publicly.

"Based on the ongoing infrastructure analysis, ASERT assesses with moderate confidence that the Fancy Bear LoJax operation started in late 2016," the group wrote.

The rootkit also doesn't look to be an isolated incident or a one-off attack that Fancy Bear used for a specific group of targets.

The ASERT study found that while the number of currently command-and-control servers for Lojax infections had dwindled over the course of the (northern hemisphere) winter, from seven to just two, the Fancy Bear crew appears to have a number of additional command-and-control servers and IP addresses in their reserve, which are ready to deploy when needed.

"Even with all of the publicity around Lojax, Fancy Bear operations have kept some of the originally identified C2 servers alive," ASERT explained.

"The fact that C2 servers were still alive and had been reported back in September 2018, speaks to the necessity of making sure that organizations use the reported IoCs in their defensive operations, and underscores the importance of making sure they are not aged out of active defense operations too soon."

Together, the findings paint a much broader and more complex picture of Lojax than previously thought. Rather than a recently created tool that Fancy bear deployed against one set of targets, it now appears that Lojax has been running for quite some time with a fairly robust network of servers to support the infected machines.

This is not particularly good news when talking about a malware that is so hard to remove. You may just be better off binning your motherboard entirely. ®

Sponsored: What next after Netezza?

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019