A new type of the infamous APT28 Lojax (aka Double-Agent)
has been spotted by Cybaze Z Lab – Yoroi team. APT28 is the latest version of
Double-Agent rootkit. This rootkit previously analysed by ESET security
researcher.
It seems to be the similar behavior of the latest Lojax
with the previous versions and exploits the (Absolute Low jack) software to
grant the persistence on the targeted system. Low jack known as anti theft
software developed and marketed by Absolute Software Company. It comes with
many laptops like Dell, HP, Toshiba, Panasonic, Fujitsu, ASUS as a preinstalled
state in system BIOS.
Despite its original purpose, the Low Jack software forcibly
creates one small agent executable called “rpcnetp.exe” inside the system
folder. The agent continuously contact with the absolute server in periodic
manner to let the Absolute Software know the computer position without the user’s
knowledge.
Control flow of Low jack:
Image Source: ESET
Now the question is how
does the LowJax rootkit works?
Lowjax exits with the repackage version of the original
Absolute Software’s Low Jack. The actual software can persist even after entire
system wipe or replacing the hard drive. The original purpose is legitimate because
the agenda is to keep track on the license even after the device is stolen.
Lojax uses a kernel driver named as “RwDrv.sys”, to get the
access to UEFI/BIOS settings. Which is bundled with RWEverything, a useful tool
to read the low level (bits level) computer settings. There are three more tools
comes in Lojax rootkit infection process:
- · The first tool dumps the computer settings inside a text file reading from RWEverything and Bypass the system protection against the malicious firmware upgrade needs knowledge of the system.
- · The second tool copy the SPI flash memory and creates an image file. SPI mainly hosts the UEFI/BIOS.
- · A third tool then writes the malicious module inside the image and save it back inside the flash memory.
For preventing Lojax rootkit user should always boot their
system in secure boot mode. You can easily get that option in System BIOS
settings. However this feature comes with latest UEFI/BIOS. Enabling this
option can also help you to protect your system from ransomware as well.
Thanks for publishing such best knowledge with us. You are doing such a great job. This info is very helpful for everyone. Keep it up. Thanks.Read more info about affordable business phone system
ReplyDelete