ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains. The InfoSec community and the U.S. government have both attributed Fancy Bear activity to Russian espionage activity. Fancy Bear actors typically choose geopolitical targets, such as governments and international organizations. They also target industries that do business with such organizations, such as defense contractors. Lojack, formally known as Computrace, is a legitimate laptop recovery solution used by a number of companies to protect their assets should they be stolen. Lojack makes an excellent double-agent due to appearing as legit software while natively allowing remote code execution. Although the initial intrusion vector for this activity remains unknown, Fancy Bear often utilizes phishing email to deliver payloads.
Wikipedia on LoJack: “Analysis of Computrace by Kaspersky Lab shows that in rare cases, the software was preactivated without user authorization. The software agent behaves like rootkit (bootkit), reinstalling a small installer agent into the Windows OS at boot time. This installer later downloads the full agent from Absolute’s servers via the internet. This installer (small agent) is vulnerable to certain local attacks and attacks from hackers who can control network communications of the victim.”