Cybersecurity scientists have uncovered an current variation of a backdoor known as LODEINFO that’s distributed by way of spear-phishing attacks.
The conclusions occur from Japanese firm ITOCHU Cyber & Intelligence, which mentioned the malware “has been updated with new options, as effectively as adjustments to the anti-assessment (examination avoidance) strategies.”
LODEINFO (variations .6.6 and .6.7) was initially documented by Kaspersky in November 2022, detailing its abilities to execute arbitrary shellcode, get screenshots, and exfiltrate data files back again to an actor-controlled server.
A month later, ESET disclosed attacks targeting Japanese political establishments that led to the deployment of LODEINFO.
The backdoor is the perform of a Chinese nation-condition actor acknowledged as Stone Panda (aka APT10, Bronze Riverside, Cicada, Earth Tengshe, MirrorFace, and Potassium), which has a background of orchestrating attacks targeting Japan because 2021.
Attack chains commence with phishing emails bearing destructive Microsoft Word paperwork that, when opened, execute VBA macros to start downloader shellcode capable of ultimately executing the LODEINFO implant.
LODEINFO an infection paths observed in 2023 have also been observed making use of distant template injection techniques to retrieve and execute destructive macros hosted on the adversary’s infrastructure just about every time the victim opens a lure Word doc containing the template.
What is actually a lot more, checks are said to have been added to confirm the language settings of Microsoft Office environment to confirm if it truly is Japanese sometime around June 2023, only for it be removed a thirty day period later on in attacks leveraging LODEINFO model .7.1.
“In addition, the filename of the maldoc alone has been altered from Japanese to English,” ITOCHU observed. “From this, we think that v0.7.1 was very likely applied to attack environments in languages other than Japanese.”
Another noteworthy change in attacks offering LODEINFO version .7.1 is the introduction of a new intermediate phase that includes the shellcode downloader fetching a file that masquerades as a Privacy-Increased Mail (PEM) from a C2 server, which, in flip, masses the backdoor directly in memory.
The downloader shares similarities with a regarded fileless downloader dubbed DOWNIISSA based mostly on the self-patching mechanism to conceal malicious code, encoding approach for command-and-regulate (C2) server facts, and the composition of the information decrypted from the pretend PEM file.
“LODEINFO backdoor shellcode is a fileless malware that allows attackers to remotely entry and function infected hosts,” the business reported, with samples found in 2023 and 2024 incorporating additional instructions. The most current model of LODEINFO is .7.3.
“As a countermeasure, since equally the downloader shellcode and the backdoor shellcode of LODEINFO are fileless malware, it is important to introduce a product that can scan and detect malware in memory in buy to detect it,” it added.
Discovered this posting fascinating? Adhere to us on Twitter and LinkedIn to read through a lot more special content material we submit.
Some areas of this posting are sourced from: