Chinese-speaking threat actor APT10 has been using a sophisticated and sometimes fileless backdoor to target media, diplomatic, governmental, public sector, and think-tank targets, since at least March, researchers have found.
Researchers at Kaspersky have been tracking the LodeInfo malware family since 2019, they said in one of two blog posts published Monday that lay out a two-part investigation on the emerging threat. The group is bent on espionage, primarily against Japanese targets to date.
However, as threat actors are constantly updating and modifying LodeInfo — particularly with anti-detection features and varying infection vectors — it's been difficult to stay on top of its use and deployment, the researchers said.
"LodeInfo and its infection methods have been constantly updated and improved to become a more sophisticated cyber-espionage tool while targeting organizations in Japan," the researchers wrote in one of their posts. "The LodeInfo implants and loader modules were also continuously updated to evade security products and complicate manual analysis by security researchers."
JPCERT/C first named LodeInfo in a blog post in February 2020, when it was the payload in a spear-phishing campaign targeting Japan, according to Kaspersky. The following year, Kaspersky researchers also shared new findings during the HITCON 2021 conference that covered LodeInfo activities from 2019 to 2020. At the time they attributed the malware to APT10 — also known as the "Cicada" group — with "high confidence," the researchers said.
Kaspersky's latest intelligence on LodeInfo in the first half of their report focuses on their identification of current versions of the malware — in which researchers detected v0.6.6 and v0.6.7 — and their various infection methods tracked between March and September in use against targets in Japan. The second part unveils an investigation of new versions of LodeInfo shellcode — including v0.5.9, v0.6.2, v0.6.3 and v0.6.5 — identified in March, April, and June, respectively, the researchers said.
Varied Infections Methods
Researchers outlined four different infection methods that threat actors are using to get the LodeInfo backdoor on victim systems.
The first, identified in March and used in previous attacks observed by Kaspersky, started with a spear-phishing email that included a malicious attachment installing malware persistence modules, the researchers said. These modules were comprised of a legitimate EXE file from the K7Security Suite software used for DLL sideloading, as well as a malicious DLL file loaded via the DLL sideloading technique.
The malicious DLL file includes a loader for the LodeInfo shellcode that contains a 1-byte XOR-encrypted LodeInfo shellcode internally identified by version 0.5.9, the researchers said.
Another infection method uses a self-extracting archive (SFX) file in RAR format that contains three files with self-extracting script commands. When a targeted user executes this SFX file, the archive drops other files opens a .docx containing just a few Japanese words as a decoy, the researchers said.
While this decoy file is being shown to the user, archive script executes a malicious DLL via DLL sideloading that start a process that eventually deploys LodeInfo v0.6.3, they said.
A third infection vector uses another SFX file, first seen spread via a spear-phishing campaign in June, that exploits the name of a well-known Japanese politician and uses self-extracting script and files similar to the previous vector. This initial infection method also includes an additional file that decrypts shellcode for the LodeInfo v0.6.3 backdoor, the researchers said.
"The file name and the decoy document suggest the target was the Japanese ruling party or a related organization," they explained, adding that they observed another SFX file with a similar method and payload on July 4.
The fourth infection vector that researchers outlined was observed in June and appears to be a brand-new method that threat actors added this year, they said. This vector uses a fileless downloader shellcode — dubbed "DOWNIISSA" by the researchers — delivered by a password-protected Microsoft Word file. The file includes malicious macro code completely different from previously investigated samples of LodeInfo, the researchers said.
"Unlike past samples … where the malicious VBA macro was used to drop different components of the DLL sideloading technique, in this case the malicious macro code injects and loads an embedded shellcode in the memory of the WINWORD.exe process directly," they explained. "This implant was not present in past activities, and the shellcode is also a newly discovered multi-stage downloader shellcode for LodeInfo v0.6.5."
Advanced Evasion Tactics
Kaspersky researchers also outlined the various advanced evasion tactics displayed in new versions of the malware's shellcode, demonstrating how threat actors are evolving the malware to increase the chances they won't be caught, the researchers said.
"These modifications may serve as a confirmation that the threat actors track publications by security researchers and learn how to update their TTPs [tactics, techniques, and procedures] and improve their malware," they wrote.
For example, the LodeInfo v0.5.6 shellcode demonstrates several enhanced evasion techniques for certain security products, as well as three new backdoor commands implemented by the developer, researchers said.
It also contains a hardcoded key, NV4HDOeOVyL, used later by an antiquated Vigenere cipher, and it generates random junk data "possibly to evade beaconing detection based on packet size," they noted.
Another shellcode, in LodeInfo v0.5.6, uses revised crypto-algorithms and backdoor command identifiers — obfuscated with a 2-byte XOR operation that that was defined as 4-byte hardcoded values in previous LodeInfo shellcodes, the researchers said.
"We also observed the actor implementing new backdoor commands such as 'comc,' 'autorun,' and 'config' in LodeInfo v0.5.6 and later versions," they explained. "Twenty-one backdoor commands, including three new commands, are embedded in the LodeInfo backdoor to control the victim host."
Other LodeInfo shellcodes, v0.6.2 and later versions specifically, include a curious geographic identifying feature that looks for the “en_US” locale on the victim’s machine in a recursive function and halts execution if that locale is found, the researchers said, indicating that the threat actors are avoiding US targets.
Another core modification of the LodeInfo shellcode observed by Kaspersky was support for Intel 64-bit architecture, which expands the type of victim environments that threat actors can target, they said.
Overall, the updated TTPs and improvements in LodeInfo and related malware "indicate that the attacker is particularly focused on making detection, analysis, and investigation harder for security researchers," the researchers wrote.
Kaspersky shared various indicators of compromise in part two of its post on LodeInfo. The firm is encouraging other security researchers and the overall community in general to collaborate on identifying LodeInfo and related malware attacks in victim environments to prevent and mitigate further attacks.