Back to Blog
Computrace absolute lojack alternative6/26/2023 ![]() Finally, Lojack’s “small agent” allows for memory reads and writes which grant it remote backdoor functionality when coupled with a rogue C2 server. The attacker simply needs to stand up a rogue C2 server that simulates the Lojack communication protocols. Originally, the low AV detection, allowed the attacker to hide in plain sight, an effective double-agent. ![]() Looking on VirusTotal, some anti-virus vendors flag Lojack executables as ”unsafe”, but as noted as of May 3, many AV now flag the binaries as malware and DoubleAgent ( Figure 2).įigure 2: Virustotal AV Report of cf45ec807321d12f8df35fa434591460 ![]() Attackers are also concerned about AV detection. This is not the only aspect that makes Lojack an appealing target. Once an attacker properly modifies this value then the double-agent is ready to go. The Lojack agent protects the hardcoded C2 URL using a single byte XOR key however, according to researchers it blindly trusts the configuration content. The aforementioned researchers suggest the binary modification of the "small agent" is trivial. The agent achieves this persistence through a modular design as noted by Vitaliy Kamlyuk, Sergey Belov, and Anibal Sacco in a presentation at Blackhat, 2014 ( Figure 1): Figure 1: Lojack persistence mechanism (Paraphrased from …). Lojack can survive hard drive replacements and operating system (OS) re-imaging. Additionally, it can delete files, making it an effective laptop theft recovery and data wiping platform. LoJack for Laptops and Computrace are products of Absolute, not LoJack or CalAmp.Ībsolute Software, the creator of Lojack, says on its website ( ) that the agent can locate and lock a device remotely. Prior reports have misidentified LoJack instead of Absolute LoJack for Laptops, also known as Computrace.For customers who wish to confirm no legacy agents are present in their environment, we have published an advisory with steps to verify all installed agents are legitimate copies of the LoJack product. "The analysis of the samples provided by Arbor shows all were based on an illicitly modified old version of the LoJack agent from 2008 and no customers or partners have been impacted.May 4th 2018 – UPDATE FROM ABSOLUTE SOFTWARE:.– After the disclosure of the malicious Lojack binaries, many Anti-Virus vendors have been quick to respond in properly marking samples as "malware" and "DoubleAgent", rather than "Riskware" or "unsafe" ( Figure 2).However, Fancy Bear commonly uses phishing to deliver malware payloads as seen with Sedupload in late 2017. The distribution mechanism for the malicious Lojack samples remains unknown.Initially, the Lojack agents containing rogue C2 had low Anti-Virus (AV) detection which increased the probability of infection and subsequent successful C2 communication.Its continued use suggest attackers could have used it in long-running operations. Proof of concept in using Lojack as a backdoor or intrusion vector date back to 2014.ASERT researchers identified Lojack agents containing command and control (C2) domains likely associated with Fancy Bear operations.NOTE: Arbor APS enterprise security products detect and block on all activity noted in this report. Although the initial intrusion vector for this activity remains unknown, Fancy Bear often utilizes phishing email to deliver payloads. Lojack makes an excellent double-agent due to appearing as legit software while natively allowing remote code execution. ![]() Lojack, formally known as Computrace, is a legitimate laptop recovery solution used by a number of companies to protect their assets should they be stolen. They also target industries that do business with such organizations, such as defense contractors. Fancy Bear actors typically choose geopolitical targets, such as governments and international organizations. government have both attributed Fancy Bear activity to Russian espionage activity. These hijacked agents pointed to suspected Fancy Bear (a.k.a. ASERT recently discovered Lojack agents containing malicious C2s.
0 Comments
Read More
Leave a Reply. |