Hacking group abuses antivirus software to launch LODEINFO malware

Hacking group abuses antivirus software to launch LODEINFO malware

Hacker in a purge mask

The Chinese Cicada hacking group, tracked as APT10, was observed abusing security software to install a new version of the LODEINFO malware against Japanese organizations.

The targeted entities are media groups, diplomatic agencies, government and public sector organizations, and think tanks in Japan, all high-interest targets for cyberespionage.

According to Kaspersky, whose analysts have been following APT10’s operations in Japan since 2019, the threat actors are constantly evolving their infection tactics and their custom backdoor, ‘LODEINFO,’ to make detections a lot harder.

The cybersecurity company has published two reports, one illustrating new APT10’s infection chain techniques and a second focusing on the evolution of LODEINFO.

Abusing security software

Starting in March 2022, Kaspersky noticed that the APT10 attacks in Japan used a new infection vector, including a spear-phishing email, a self-extracting (SFX) RAR file, and abusing a DLL side-loading flaw in security software.

The RAR archive contains the legitimate K7Security Suite software executable, NRTOLD.exe, and a malicious DLL named K7SysMn1.dll. When NRTOLD.exe is executed, it will attempt to load the legitimate K7SysMn1.dll file that is normally included in the software suite..

However, the executable does not look for the DLL in a specific folder and thus allows malware developers to create a malicious DLL using the same name as K7SysMn1.dll.

If the malicious DLL is stored in the same folder as the legitimate executables, when launched, the executable will now load the malicious DLL, which contains the LODEINFO malware.

As the malware is side-loaded using a legitimate security application, other security software may not detect it as malicious.

“K7SysMn1.dll contains a BLOB with an obfuscated routine not observed in past activities,” explains Kaspersky in the report.

“The embedded BLOB is divided into four-byte chunks, and each part is stored in one of the 50 randomly named export functions of the DLL binary.”

“These export functions reconstruct the BLOB in an allocated buffer and then decode the LODEINFO shellcode using a one-byte XOR key.”

Payload assemblies from BLOBs
Payload assemblies from BLOBs (Kaspersky)

While the archive extracts in the background and initiates the infection process, the victim sees a decoy document in the foreground to minimize the chances of realizing the compromise.

In June 2022, Kaspersky noticed another variant in the APT10 infection chain, using a file-less downloader shellcode delivered via a password-protected Microsoft Office document carrying malicious VBA code.

This time, instead of side-loading DLLs, the hackers relied on the macro code to inject and load the shellcode (DOWNISSA) directly into the memory of the WINWORD.exe process.

Injecting shellcode directly into the process
Injecting shellcode directly into the process (Kaspersky)
The DOWNISSA infection chain
The “DOWNISSA” infection chain (Kaspersky)

New LODEINFO

The malware authors released six new versions of LODEINFO in 2022, the latest being v0.6.7, released in September 2022.

At the end of 2021, with the release of LODEINFO v0.5.6, APT10 added multiple C2 communication encryption layers using the Vigenere cipher key in combination with randomly generated junk data.

LODEINFO encrypted C2 comms scheme
LODEINFO encrypted C2 communications scheme (Kaspersky)

Additionally, LODEINFO v0.5.6 used XOR obfuscation for the 21 commands supported by the backdoor, while in version 0.5.9, a new hash calculation algorithm for API function names was introduced.

Support for 64-bit platforms was added in version 0.6.2, essentially broadening the targeting scope of the malware. That version also introduced an exemption for machines using the “en_US” locale to avoid unwanted infections.

In LODEINFO v0.6.3, released in June 2022, the malware authors removed ten unnecessary commands, possibly to make the backdoor leaner and more efficient.

The commands that remain in current versions are:

  • Show embedded backdoor command list
  • Download a file from C2
  • Upload a file to C2
  • Inject the shellcode into memory
  • Kill a process using a process ID
  • Change directories
  • Send malware and system information
  • Take a screenshot
  • Encrypt files by a generated AES key
  • Execute a command using WM I
  • Config (incomplete implementation)

APT10’s Japan-targeting operations are characterized by constant evolution, expansion of targeted platforms, better evasion, and stealthy infection chains.

Kaspersky says LODEINFO v0.6.6 and v0.6.7, which weren’t analyzed in this report, are already distributed via new TTPs, so the threat is constantly changing form, making it very hard for analysts and defenders to keep up.

Other recently uncovered operations linked to APT10 include a campaign targeting Middle Eastern and African governments using steganography and another abusing VLC to launch custom backdoors.