The Chinese state-sponsored hacking group, tracked as Stone Panda (APT10), has been observed abusing antivirus software to install a new version of the custom backdoor LODEINFO malware against Japanese organizations. According to reports from Kaspersky, the campaign is attacking high-interest targets for cyberespionage in Japan, including media groups, diplomatic agencies, government and public sector organizations, and think tanks.
Some of the notable capabilities of the backdoor malware include:
- Show embedded backdoor command list
- Download a file from C2
- Upload a file to C2
- Inject the shellcode into memory
- Kill a process using a process ID
- Change directory
- Send malware and system information
- Take a screenshot
- Encrypt files by a generated AES key
- Execute a command using WM I
- Config (incomplete implementation)
Impact
LODEINFO was first discovered in 2019. Since then, LODEINFO and its infection methods have been constantly updated and improved to become a more sophisticated cyber-espionage tool targeting organizations in Japan. The LODEINFO implants and loader modules are also continuously updated to evade security products and complicate human analysis. To expand the targeted victim environments, one of the core modifications in the newer versions (v0.6.6 and v0.6.7) of LODEINFO shellcode is support for Intel 64-bit architecture.
The updated TTPs and improvements in LODEINFO and related malware indicate that the attacker is particularly focused on making detection, analysis and investigation more difficult for security researchers. Improvements include implementation of the Vigenere cipher, complex infection flow with fileless malware, partial XOR encryption, C2 communication packets with a unique data structure and variable length, and password-protected documents.
DXC perspective
A secure infrastructure, with the latest antivirus software tools and constant vigilance, is the best defense against malware.