Russian APT Group Fancy Bear (APT28) Distributes Malicious Versions of LoJack Software

Researchers at Arbor Networks detected modified versions of legitimate LoJack applications that appear to be associated with the Russian APT Group Fancy Bear, also tracked as APT28 and Sofacy. LoJack software is used by organizations and individuals to track and locate devices in the case of theft and, by default, comes with a built-in persistence system. The altered versions contain minor modifications in the application’s binary which enable connections to remote C2 domains believed to be associated with Fancy Bear operations. Because the alterations are minor, many antivirus systems do not detect the affected software versions. Although distribution methods are currently unknown, the malicious LoJack applications are likely distributed via spear-phishing emails crafted to trick recipients into downloading and installing LoJack. The NJCCIC recommends network administrators review the Arbor Networks report and scan their networks for associated IoCs. We also strongly recommend that all email users maintain awareness of emerging phishing campaigns and avoid clicking on links or opening attachments delivered with unexpected or unsolicited emails. If any end users have taken action on emails from this campaign, isolate the affected system from the network immediately and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.