LoJax

LoJax is an extremely vicious threat that is used to gain access to computers belonging to government institutions or other important organizations. Our researchers say the malicious application is technically capable of doing anything, for example, if its creators would like to steal any information from the infected device or spy on its user they could. Even though it is doubtful it could attack computers of regular users; we will still explain how it should be removed in both cases slightly below this article. However, keep it in mind due to the fact the infection is both a Trojan and a rootkit, erasing it from the computer will not be easy. Moreover, further in the text, we will discuss the malicious application’s working manner as well as talk about why LoJax is so dangerous and why it is best to remove it the moment you realize it is on the system.

Understanding how the malware could be distributed and what conditions it needs to enter the system is crucial too, which is why we will start the report by explaining how LoJax might settle in. It looks like the malicious application could be distributed in several different ways, for example, it might be spread through unsecured RDP (Remote Desktop Protocol) connections, Spam emails, or it could be dropped on the system by another Trojan. Another thing those trying to avoid the rootkit should know is it can enter the system by using its vulnerabilities. To be more precise, it looks like the malware infects old or misconfigured systems that could have outdated BIOS/UEFI firmware. Consequently, to prevent the malicious application from entering the computer it would be wise to update your device’s firmware. Our researchers also recommend enabling Secure Boot options from BIOS/UEFI as it could make it more difficult for the threat enter the system.

Furthermore, it is believed the name of LoJax comes from the title of a specific legitimate application the malware pretends to be, to enter the targeted computers. To be more precise, the rootkit might try to disguise itself as a legitimate anti-theft program known as LoJack, which is one of the reasons why it might be so difficult to detect this malware. Apparently, its primary goal is to remain unnoticed and execute commands sent by the malicious application's developers when needed. As we mentioned at the beginning of the article, the rootkit is extremely capable and could perform numerous different tasks, such as installing more infections on the computer, copying or deleting data available on the infected device, and so on. This is why it is crucial to eliminate the Trojan as soon as possible. At the moment of writing, it seems the threat could be targeted at organizations located in the Balkans and Central or Eastern Europe. This is why organizations using misconfigured or old devices that could be vulnerable to LoJax are advised to check their systems just in case.

According to our researchers, the reason LoJax is so vicious is it has unique rootkit capabilities that makes it extremely difficult to remove. It would seem the malicious application creates a malicious executable file named same as the earlier mentioned legitimate tool’s launcher (rpcnetp.exe). This file is responsible for keeping the Trojan running and if it fails the malware connects to its C&C server to download data that would help with the task. The downloaded malicious code is then turned into a .dll file and loaded into memory, which results in launching infected svchost.exe and iexplore.exe processes and ensuring the rootkit keeps running.

Unfortunately, because of this, it seems it is impossible to get rid of the threat without changing the computer’s motherboard or flashing the BIOS/UEFI. What it is important to know is flashing or in other words, reprogramming the computer’s BIOS/UEFI is a complicated process and if you do not have any experience you could do more damage instead of helping the device. This is why we do not recommend this option for regular computer users. As for computers of various organizations they might have IT specialists that could complete this task successfully, in which case, flashing the BIOS/UEFI instead of replacing the computer’s motherboard might be better.

Erase LoJax

1. Organizations could ask their IT specialists to flash the infected computer’s BIOS/UEFI.
2. As for regular home users, we would recommend replacing the infected device’s motherboard.