#Absolute lojack wiki registration
The 46.21.147.71 ip address, instead, has been resolved since the first registration of the “” domain back in 2017. However, all the possible reported misuse of the ip address does not apparently match the ’s resolution time period. Other malicious activities related to the cybercrime threat actors have been reported through the ransomware tracker platform, where the ip is associated to several Locky ransomware distribution domains back in 2016. Also, it has resolved to a different ip address 209.99.40.226 during the 16th Oct 16 07th Nov time period, this address is related the Confluence Network ISP: that ip has been blacklisted for limited time by abuse.ch, between -19, and have been reported as malicious by the abuseipdb on december 2017. The domain hosts inactive inactive subdomains, such as pointing to the localhost address 127.0.0.1. Registrant Name: Tibor Kovacs Registrant Organization: Registrant Street: Vezer u 43 Registrant City: Budapest Registrant State/Province: Budapest Registrant Postal Code: 1141 Registrant Country: HU Registrant Phone: +36.361578632154 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: The username part of the mailbox contains the same name and surname found in the Registrant name, with the addition of a terminal “r” tiborkovacs r, its not clear if this letter could be a clue usable to focus the investigation to an hypothetical profile of the registrant. The domain has been registered on 10th Oct 2017 by “Tibor Kovacs” ( ) and it’s handled by the “Shinjiru Technology Sdn Bhd” provider. This address, ciphered using XOR encryption with a single byte key 0xB5, was hidden in the section “.cdata”.Īfter the decryption of the address, the result is “ ”, as shown in the below figure:įigure 2. Through a static analysis of the sample we have discovered a new C2 address, unknown to the community and to the threat intelligence platforms until now. If the Absolute Lojack components are not found, the malware kills itself.
#Absolute lojack wiki software
After this, Lojax searches some components belonging to the legitimate software that should be already installed into the machine, with whom tries to establish a connection via RPC channel. When it starts, the malware copies itself into a new DLL: the final file is the same of the initial one except for some header flags. The size of the malicious artifact is the same of the legitimate one, so the only manipulation seems to the modification of the C2C address, in according with other firms that previously analyzed the malware. However, the propagation vector is not clear yet.
#Absolute lojack wiki update
The APT28 Group has trojanized the “rpcnetp.exe” agent to spread it as fake update of the legitimate software. The sample, in fact, triggers the Lojax YARA rule defined by Arbor Networks allowing to classify it as Double-Agent. The analysis performed links the sample to the notorious russian group APT28, also known as “Fancy Bear” or “Sofacy”. The control flow of the Lojack software is detailed in the following figure:įigure 1. The agent periodically contacts the Absolute server and sends to it the current machine’s position. In the past, this software was known as “Computrace”.ĭespite it’s legitimate purposes, the Absolute Lojack software acts like a rootkit (more precisely as a bootkit): its BIOS component forces the writing of a small agent named “rpcnetp.exe” into the system folder. Lojack is an anti-theft and localization software developed by Absolute Software Corporation and it is pre-installed in the BIOS image of several Lenovo, HP, Dell, Fujitsu, Panasonic, Toshiba and Asus machines. The behavior of the Lojax sample seems to be similar to the previous versions and exploits the legitimate “Absolute Lojack” software to grant its persistence on the infected system. It is the latest version of the well-known rootkit Double-Agent, previously analyzed by ESET researchers. A new variant of the infamous APT28 Lojax (aka Double-Agent) has been discovered by the Yoroi-Cybaze ZLab researchers.
0 kommentar(er)
