Hacking group abuses antivirus software program to launch LODEINFO malware

The Chinese language Cicada hacking group, tracked as APT10, was noticed abusing safety software program…

Hacking group abuses antivirus software program to launch LODEINFO malware

Hacking group abuses antivirus software program to launch LODEINFO malware

The Chinese language Cicada hacking group, tracked as APT10, was noticed abusing safety software program to put in a brand new model of the LODEINFO malware towards Japanese organizations.

The focused entities are media teams, diplomatic businesses, authorities and public sector organizations, and assume tanks in Japan, all high-interest targets for cyberespionage.

In keeping with Kaspersky, whose analysts have been following APT10’s operations in Japan since 2019, the risk actors are continuously evolving their an infection techniques and their customized backdoor, ‘LODEINFO,’ to make detections loads more durable.

The cybersecurity firm has revealed two stories, one illustrating new APT10’s an infection chain methods and a second specializing in the evolution of LODEINFO.

Abusing safety software program

Beginning in March 2022, Kaspersky observed that the APT10 assaults in Japan used a brand new an infection vector, together with a spear-phishing electronic mail, a self-extracting (SFX) RAR file, and abusing a DLL side-loading flaw in safety software program.

The RAR archive accommodates the authentic K7Security Suite software program executable, NRTOLD.exe, and a malicious DLL named K7SysMn1.dll. When NRTOLD.exe is executed, it’s going to try and load the authentic K7SysMn1.dll file that’s usually included within the software program suite.. 

Nonetheless, the executable doesn’t search for the DLL in a particular folder and thus permits malware builders to create a malicious DLL utilizing the identical identify as K7SysMn1.dll. 

If the malicious DLL is saved in the identical folder because the authentic executables, when launched, the executable will now load the malicious DLL, which accommodates the LODEINFO malware. 

Because the malware is side-loaded utilizing a authentic safety utility, different safety software program could not detect it as malicious.

“K7SysMn1.dll accommodates a BLOB with an obfuscated routine not noticed in previous actions,” explains Kaspersky within the report.

“The embedded BLOB is split into four-byte chunks, and every half is saved in one of many 50 randomly named export capabilities of the DLL binary.”

“These export capabilities reconstruct the BLOB in an allotted buffer after which decode the LODEINFO shellcode utilizing a one-byte XOR key.”

Payload assembly from BLOBs
Payload meeting from BLOBs (Kaspersky)

Whereas the archive extracts within the background and initiates the an infection course of, the sufferer sees a decoy doc within the foreground to reduce the possibilities of realizing the compromise.

In June 2022, Kaspersky observed one other variant within the APT10 an infection chain, utilizing file-less downloader shellcode delivered through a password-protected Microsoft Workplace doc carrying malicious VBA code.

This time, as an alternative of DLL side-loading, the hackers relied on the macro code to inject and cargo the shellcode (DOWNISSA) straight into the reminiscence of the WINWORD.exe course of.

Injecting shellcode directly into the process
Injecting shellcode straight into the method (Kaspersky)
The DOWNISSA infection chain
The “DOWNISSA” an infection chain (Kaspersky)

New LODEINFO

The malware authors launched six new variations of LODEINFO in 2022, the newest being v0.6.7, launched in September 2022.

On the finish of 2021, with the discharge of LODEINFO v0.5.6, APT10 added a number of C2 communication encryption layers utilizing the Vigenere cipher key together with randomly generated junk knowledge.

LODEINFO encrypted C2 comms scheme
LODEINFO encrypted C2 communications scheme (Kaspersky)

Moreover, LODEINFO v0.5.6  used XOR obfuscation for the 21 instructions supported by the backdoor, whereas in model 0.5.9, a brand new hash calculation algorithm for API operate names was launched.

Assist for 64-bit platforms was added in model 0.6.2, primarily broadening the concentrating on scope of the malware. That model additionally launched an exemption for machines utilizing the “en_US” locale to keep away from undesirable infections.

In LODEINFO v0.6.3, launched in June 2022, the malware authors eliminated ten pointless instructions, probably to make the backdoor leaner and extra environment friendly.

The instructions that stay in present variations are:

  • Present embedded backdoor command listing
  • Obtain a file from C2
  • Add a file to C2
  • Inject the shellcode into reminiscence
  • Kill a course of utilizing a course of ID
  • Change listing
  • Ship malware and system data
  • Take a screenshot
  • Encrypt information by a generated AES key
  • Execute a command utilizing WM I
  • Config (incomplete implementation)

APT10’s Japan-targeting operations are characterised by fixed evolution, growth of focused platforms, higher evasion, and stealthy an infection chains.

Kaspersky says LODEINFO v0.6.6 and v0.6.7, which weren’t analyzed on this report, are already distributed through new TTPs, so the risk is consistently altering type, making it very arduous for analysts and defenders to maintain up.

Different lately uncovered operations linked to APT10 embrace a marketing campaign concentrating on Center Jap and African governments utilizing steganography and one other abusing VLC to launch customized backdoors.