This address, ciphered using XOR encryption with a single byte key 0xB5, was hidden in the section “.cdata”.Īfter the decryption of the address, the result is “ ”, as shown in the below figure:įigure 2. Through a static analysis of the sample we have discovered a new C2 address, unknown to the community and to the threat intelligence platforms until now. If the Absolute Lojack components are not found, the malware kills itself.
#Absolute lojack and dell software
After this, Lojax searches some components belonging to the legitimate software that should be already installed into the machine, with whom tries to establish a connection via RPC channel. When it starts, the malware copies itself into a new DLL: the final file is the same of the initial one except for some header flags. The size of the malicious artifact is the same of the legitimate one, so the only manipulation seems to the modification of the C2C address, in according with other firms that previously analyzed the malware. However, the propagation vector is not clear yet.
#Absolute lojack and dell update
The APT28 Group has trojanized the “rpcnetp.exe” agent to spread it as fake update of the legitimate software. The sample, in fact, triggers the Lojax YARA rule defined by Arbor Networks allowing to classify it as Double-Agent. The analysis performed links the sample to the notorious russian group APT28, also known as “Fancy Bear” or “Sofacy”. The control flow of the Lojack software is detailed in the following figure:įigure 1. The agent periodically contacts the Absolute server and sends to it the current machine’s position. In the past, this software was known as “Computrace”.ĭespite it’s legitimate purposes, the Absolute Lojack software acts like a rootkit (more precisely as a bootkit): its BIOS component forces the writing of a small agent named “rpcnetp.exe” into the system folder. Lojack is an anti-theft and localization software developed by Absolute Software Corporation and it is pre-installed in the BIOS image of several Lenovo, HP, Dell, Fujitsu, Panasonic, Toshiba and Asus machines. The behavior of the Lojax sample seems to be similar to the previous versions and exploits the legitimate “Absolute Lojack” software to grant its persistence on the infected system. It is the latest version of the well-known rootkit Double-Agent, previously analyzed by ESET researchers. A new variant of the infamous APT28 Lojax (aka Double-Agent) has been discovered by the Yoroi-Cybaze ZLab researchers.
0 kommentar(er)
