APT10 Attacks Japanese Organizations w. LODEINFO Malware
Category: Threat Actor Activity | Industries: Diplomatic, Government, Media, Think Tanks | Level: Tactical | Source: Kaspersky
Kaspersky's investigation of the LODEINFO malware family has traced operations to Chinese led threat group, APT10/menuPass, who have been deploying the malware against organizations in Japan since 2019. The threat groups targets are diplomatic agencies, government organizations, media services, organizations in the public sector, and think tanks. Several infection chains have been used by APT10 involving phishing emails, either VBScript within a Microsoft Word file or a self-extracting archive file (SFX), a custom downloader, and DLL side-loading with a legitimate security suite, K7Security. The threat actors abuse the K7Security security suite's executable file, NRTOLF.exe which would normally look for a DLL file, K7SysMn1.dll. The folder the fileK7SysMn1.dll is located is not important for the executable, giving the threat actor the option to load their malicious DLL in the same or different folder. By abusing a legitimate security solution, the attackers can slip through security monitoring detections. "The K7SysMn1.dll contains a BLOB with an obfuscated routine not observed in past activities. The embedded BLOB is divided into four-byte chunks, and each part is stored in one of the 50 randomly named export functions of the DLL binary. These export functions reconstruct the BLOB in an allocated buffer and then decode the LODEINFO shellcode using a one-byte XOR key." The LODEINFO malware evolved constantly by threat actors, with at least six versions of the malware having been released this year. Commands available in version 6.3 of the malware, include file upload, file download, stopping a process, injecting shellcode into memory, gathering system information, and taking a screenshot on the host. APT10's campaign objectives are focused on cyber espionage, the various infections chains used are examples of the group developing their techniques to evade detection monitoring.
- APT10 & LODEINFO Malware Infection
Anvilogic Use Cases:
- Compressed File Execution
- Executable Process from Suspicious Folder
- Remote Thread from Suspicious Folder