The attacker simply needs to stand up a rogue C2 server that simulates the Lojack communication protocols. Originally, the low AV detection, allowed the attacker to hide in plain sight, an effective double-agent. Looking on VirusTotal, some anti-virus vendors flag Lojack executables as ”unsafe”, but as noted as of May 3, many AV now flag the binaries as malware and DoubleAgent ( Figure 2).įigure 2: Virustotal AV Report of cf45ec807321d12f8df35fa434591460 Attackers are also concerned about AV detection. This is not the only aspect that makes Lojack an appealing target. Once an attacker properly modifies this value then the double-agent is ready to go. The Lojack agent protects the hardcoded C2 URL using a single byte XOR key however, according to researchers it blindly trusts the configuration content. The aforementioned researchers suggest the binary modification of the "small agent" is trivial. The agent achieves this persistence through a modular design as noted by Vitaliy Kamlyuk, Sergey Belov, and Anibal Sacco in a presentation at Blackhat, 2014 ( Figure 1): Figure 1: Lojack persistence mechanism (Paraphrased from …). Lojack can survive hard drive replacements and operating system (OS) re-imaging. Additionally, it can delete files, making it an effective laptop theft recovery and data wiping platform.
![absolute lojack test call session absolute lojack test call session](https://forum.qunex.yale.edu/uploads/default/original/1X/0197370f9ef15966e885f266c07476ca91ba2d17.png)
LoJack for Laptops and Computrace are products of Absolute, not LoJack or CalAmp.Ībsolute Software, the creator of Lojack, says on its website ( ) that the agent can locate and lock a device remotely. Prior reports have misidentified LoJack instead of Absolute LoJack for Laptops, also known as Computrace.For customers who wish to confirm no legacy agents are present in their environment, we have published an advisory with steps to verify all installed agents are legitimate copies of the LoJack product. "The analysis of the samples provided by Arbor shows all were based on an illicitly modified old version of the LoJack agent from 2008 and no customers or partners have been impacted.
Absolute lojack test call session update#
![absolute lojack test call session absolute lojack test call session](https://images-na.ssl-images-amazon.com/images/I/51JOZhcL35L._SX218_BO1,204,203,200_QL40_.jpg)
Although the initial intrusion vector for this activity remains unknown, Fancy Bear often utilizes phishing email to deliver payloads.
Absolute lojack test call session software#
Lojack makes an excellent double-agent due to appearing as legit software while natively allowing remote code execution. Lojack, formally known as Computrace, is a legitimate laptop recovery solution used by a number of companies to protect their assets should they be stolen. They also target industries that do business with such organizations, such as defense contractors. Fancy Bear actors typically choose geopolitical targets, such as governments and international organizations. government have both attributed Fancy Bear activity to Russian espionage activity.
![absolute lojack test call session absolute lojack test call session](https://technogog.com/wp-content/uploads/2009/02/windowslivewriterlojackforlaptops-109f8lojack6-2.png)
These hijacked agents pointed to suspected Fancy Bear (a.k.a. ASERT recently discovered Lojack agents containing malicious C2s.