The Cybaze ZLab – Yoroi cyber security experts: APT28 Russian state-sponsored hackers spread a new variant of the Lojax (aka Double-Agent) malware. They use it to to target government organizations in Balkans, Central and Eastern Europe
There’s a new variant in the wild of the infamous Lojax (aka Double-Agent) malware. It has been discovered by the Cybaze ZLab – Yoroi cyber security experts. It’s the latest version of the well-known rootkit Double-Agent, previously analyzed by ESET researchers. Russian state sponsored hacker of APT28 (aka Sednit, Fancy Bear, Pawn Storm, Sofacy and STRONTIUM) are using it to target government organizations in the Balkans, in Central and Eastern Europe, using different components of the malicious code. According to Security Affairs, the behaviour of the new variant seems to be similar to the previous versions and exploits the legitimate “Absolute Lojack” software to grant its persistence on the infected system. Lojack is an anti-theft and localization software developed by Absolute Software Corporation and it is pre-installed in the BIOS image of several Lenovo, HP, Dell, Fujitsu, Panasonic, Toshiba, and Asus machines. In the past, this software was known as “Computrace”.
The malicious code uses a C2 address unknown to the community and to the threat intelligence platforms until now
Despite its legitimate purposes, the Absolute Lojack software acts like a rootkit (more precisely as a bootkit): its BIOS component forces the writing of a small agent named “rpcnetp.exe” into the system folder. The agent periodically contacts the Absolute server and sends to it the current machine’s position. When it starts, the malware copies itself into a new DLL: the final file is the same of the initial one, except for some header flags. After this, the malicious code searches some components belonging to the legitimate software that should be already installed into the machine, with whom tries to establish a connection via RPC channel. If the Absolute Lojack components are not found, the malware kills itself. Yoroi stated in it’s blog that the C2 address is unknown to the community and to the threat intelligence platforms until now. The address is “regvirt.com”.