Notorious Russian hacking group Fancy Bear is believed to be behind an attack that hijacks a function within Absolute Software Corp.’s LoJack security tool to redirect data to malicious command-and-control servers.

Discovered by researchers Netscout’s Arbor Networks, the attack targets installations of LoJack, an anti-computer theft program used by corporations and individuals to guard their assets, sort of a highly advanced version of Android’s “Find My Phone” feature. It allows users to trace the current location of their device – be it a laptop, PC, tablet or mobile phone — and delete files off the stolen device. It also offers a detection and recovery service that works with local authorities to retrieve the device wherever it is in the world.

The hack issue relates to the way the LoJack software communicates back to C&C servers. According to the researchers, the LoJack agent protects the hardcoded C&C URL using a single-byte XOR key but blindly trusts the configuration content. As a result, Fancy Bear has found a way, speculated to be via a phishing campaign given its history with that technique of fooling users to give up information or passwords, to have users run a file that changes the URL to a C&C server that the hackers operate instead, giving them backdoor access to the infected computer.

Complicating the matter is that antivirus software can’t detect a hijacked installation because LoJack in its native state is a legitimate application.

“With low AV detection, the attacker now has an executable hiding in plain sight, a double-agent,” the researchers noted. “The attacker simply needs to stand up a rogue C&C server that simulates the LoJack communication protocols.  Finally, LoJack’s ‘small agent’ allows for memory reads and writes which grant it remote backdoor functionality when coupled with a rogue C&C server.”

Fortunately, only five instances of the hijack have been discovered so far, but given that the method is in the wild, it may present a growing risk in the future. In a statement to The Register, Absolute said its staff had “spoken to Arbor regarding the claims in this report and are investigating this matter internally.” It added that “at this time, we do not believe that this has impacted any customers or partners, but are taking every precaution to ensure any concerns are promptly addressed.”

Barring a patch from Absolute forthcoming, network administrators can check to see if they have been affected by scanning for the domains used in the C&C hijack: elaxo[.]org, ikmtrust[.]com, lxwo[.]org and sysanalyticweb[.]com.

Photo: Pixabay