November 17, 2018

The Cybaze ZLab- Yoroi team spotted the latest version of APT28 Lojax rootkit aka Double-Agent

A new type of the infamous APT28 Lojax (aka Double-Agent) has been spotted by Cybaze Z Lab – Yoroi team. APT28 is the latest version of Double-Agent rootkit. This rootkit previously analysed by ESET security researcher.

It seems to be the similar behavior of the latest Lojax with the previous versions and exploits the (Absolute Low jack) software to grant the persistence on the targeted system. Low jack known as anti theft software developed and marketed by Absolute Software Company. It comes with many laptops like Dell, HP, Toshiba, Panasonic, Fujitsu, ASUS as a preinstalled state in system BIOS.
Despite its original purpose, the Low Jack software forcibly creates one small agent executable called “rpcnetp.exe” inside the system folder. The agent continuously contact with the absolute server in periodic manner to let the Absolute Software know the computer position without the user’s knowledge.

Control flow of Low jack:
Image Source: ESET
Now the question is how does the LowJax rootkit works?
Lowjax exits with the repackage version of the original Absolute Software’s Low Jack. The actual software can persist even after entire system wipe or replacing the hard drive. The original purpose is legitimate because the agenda is to keep track on the license even after the device is stolen.
Lojax uses a kernel driver named as “RwDrv.sys”, to get the access to UEFI/BIOS settings. Which is bundled with RWEverything, a useful tool to read the low level (bits level) computer settings. There are three more tools comes in Lojax rootkit infection process:

  • ·         The first tool dumps the computer settings inside a text file reading from RWEverything and Bypass the system protection against the malicious firmware upgrade needs knowledge of the system.

  • ·           The second tool copy the SPI flash memory and creates an image file. SPI mainly hosts the UEFI/BIOS.

  • ·         A third tool then writes the malicious module inside the image and save it back inside the flash memory.

For preventing Lojax rootkit user should always boot their system in secure boot mode. You can easily get that option in System BIOS settings. However this feature comes with latest UEFI/BIOS. Enabling this option can also help you to protect your system from ransomware as well.

1 comment:

  1. Thanks for publishing such best knowledge with us. You are doing such a great job. This info is very helpful for everyone. Keep it up. Thanks.Read more info about affordable business phone system