New variant of APT28 Lojax rootkit discovered

Hackers know a prime target when they spot one. Unfortunately, small-to-midsize businesses (SMBs) are often those prime targets. A lot of small business owners like to think that malicious attackers don’t have anything to gain by going after “the little guy,” or that they don’t have much to lose.

A new variant of the infamous APT28 Lojax (aka Double-Agent) has been discovered by the Cybaze ZLab – Yoroi team. It is the latest version of the well-known rootkit Double-Agent, previously analyzed by ESET researchers.

The behaviour of the Lojax sample seems to be similar to the previous versions and exploits the legitimate “Absolute Lojack” software to grant its persistence on the infected system. Lojack is an anti-theft and localization software developed by Absolute Software Corporation and it is pre-installed in the BIOS image of several Lenovo, HP, Dell, Fujitsu, Panasonic, Toshiba, and Asus machines. In the past, this software was known as “Computrace”.

Despite its legitimate purposes, the Absolute Lojack software acts like a rootkit (more precisely as a bootkit): its BIOS component forces the writing of a small agent named “rpcnetp.exe” into the system folder. The agent periodically contacts the Absolute server and sends to it the current machine’s position.

That’s simply not the case. Sixty-one percent of SMBs have been hit by cyberattacks, and the average cost of those breaches has exceeded $1,000,000. Here are some of the easy ways that hackers barge their way into small business networks – Malware, Phishing, Ransomware, Spoofing and Rootkit.

Malware is malicious software designed to infiltrate computer systems and extract any important information it might find. It comes in several different forms, including viruses, spyware, Trojans, rootkits, and worms.

The size of the malicious artefact is the same as the legitimate one, so the only manipulation seems to the modification of the C2C address, in according with other firms that previously analyzed the malware.
Category:

Share this with Your friends: