- The researchers at Kaspersky disclosed LodeInfo malware that used a flaw in an antivirus program to reach sensitive data from its victims.
- The malware known as APT10 deceived employees at various organizations in Japan into downloading infected software.
- The malware developers used four different methods to get into the victims’ devices between March and September 2022.
Cybersecurity researchers at Kaspersky lately spotted Cicada, known as APT10, deceiving employees at several organizations in Japan into downloading a compromised version of the company’s K7Security Suite. Unfortunately, the employees who are deceived end up getting LodeInfo malware in their systems.
Aiming for espionage activities against the targets
The researchers at Kaspersky have been observing the malware since 2019 when it first emerged. They describe the malware as regularly modified and upgraded by its developers to become a more sophisticated cyber-espionage tool while targeting organizations. In their twin blog posts published recently, the researchers said the threat group targets high profiles in Japan particularly aiming for espionage activities.
In the first half of their blog post, the researchers mention the current versions of the malware found, which were v0.6.6 and v0.6.7. The various infection methods were tracked between March and September. The second part discloses an examination of the older versions of the LodeInfo shellcode including v0.5.9, v0.6.2, v0.6.3, and v0.6.5. They were identified in March, April, and June, respectively.
Four different methods of LodeInfo
According to researchers, four different infection methods are used by malware developers to get the LodeInfo backdoor on victim systems.
Method 1; was identified in March and started with a spear-phishing email containing a malicious attachment installing malware persistence modules. These modules were comprised of a legitimate EXE file from the K7Security Suite software used for DLL sideloading, as well as a nasty DLL file loaded via the DLL sideloading technique.
Method 2; used a self-extracting archive (SFX) file in RAR format including three files with self-extracting script commands. As soon as a targeted user executes this SFX file, the archive drops other files and opens a .docx containing just a few Japanese words as a decoy. While showing the decoy file to the user, the archive script starts K7SysMon.exe, which loads the malicious DLL from K7SysMn1.dll.
Method 3; used another SFX file that was first seen spread via a spear-phishing campaign in June. It exploited the name of a well-known Japanese politician and used a self-extracting script and files similar to the previous vector. This initial infection method also contained an additional file that decrypts shellcode for the LodeInfo v0.6.3 backdoor.
Method 4; was observed in June and appears to be a brand-new method that malware developers added this year. This vector used a fileless downloader shellcode dubbed DOWNJPIT, a variant of the LODEINFO malware, delivered by a password-protected Microsoft Word file. The file included malicious macro code different from previously examined samples of LodeInfo. The researchers said;
«Unlike past samples, such as the one described in the Initial Infection #1 section of this article, where the malicious VBA macro was used to drop different components of the DLL sideloading technique, in this case, the malicious macro code injects and loads an embedded shellcode in the memory of the WINWORD.exe process directly. This implant was not present in past activities and the shellcode is also a newly discovered multi-stage downloader shellcode for LODEINFO v0.6.5.»
In their blog posts, Kaspersky researchers defined the several advanced dodging tactics shown in new versions of the malware’s shellcode. They are also outlining how the malware developers are progressing to not be caught. For example, they track publications by security researchers and learn how to update their TTPs and improve their malware. So far it is not known how many organizations were victims of this malware and what was the scale of the harm.