Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cicada. Show all posts

Threat Actors Exploit Antivirus Software to Launch LOADINFO Malware, Target Entities in Japan


APT10 uses LOADINFO malware to attack Japanese Organizations

The Chinese Cicada hacking group, known as APT10, was found exploiting security software to deploy a new variant of the LODEINFO malware against Japanese companies. 

The victim organizations include media groups, government, and public sector organizations, think tanks, and diplomatic agencies in Japan, all lucrative targets for cyberespionage. 

As per Kaspersky analysts who have been keeping tabs on APT10's operations in Japan since 2019, the malicious actors are continuously advancing their exploitation techniques and custom backdoor, 'LODEINFO,' to make it difficult for experts to detect. 

Kaspersky published two reports, one showing APT10's exploit chain tactics and the second highlighting the evolution of LODEINFO.

Exploiting security software

The hunt started in March 2022, Kaspersky found that APT10 cyberattacks in Japan started using a new infection vector, consisting of a spear-phishing mail, a self-extracting (SFX) RAR file, and exploiting a DLL side-loading vulnerability in security software. 

The RAR archive consists of the legitimate K7Security Suite Software executable, NRTOLD.exe, and a malicious DLL named K7SysMn1.dll. When NRTOLD.exe is run, it will try to deploy the genuine K7SysMn1.dll file that is usually present in the software suite. 

However, the executable will not look for the DLL in a specific folder and therefore permits malware developers to make a malicious DLL using the same name as K7SysMn1.dll.

If the infected DLL is kept in the same folder as the genuine executables, after launching, the executable will deploy the malicious DLL, containing LODEINFO malware. 

Because the malware is side-loaded using an authentic security app, other security software may not find it malicious. 

The Kaspersky report said: 

"K7SysMn1.dll contains a BLOB with an obfuscated routine not observed in past activities. The embedded BLOB is divided into four-byte chunks, and each part is stored in one of the 50 randomly named export functions of the DLL binary. These export functions reconstruct the BLOB in an allocated buffer and then decode the LODEINFO shellcode using a one-byte XOR key."

New LOADINFO

The malware developers launched six new variants of LODEINFO in 2022, the most recent being vo.6.7, launched in September 2022. 

APT10's Japan-attacking operations are marked by the expansion of targeted platforms, constant evolution, stealthy infection chains, and better escape. 

Other recent unfounded operations related to APT10 consist of a campaign attacking Middle Eastern and African governments via stenography and another exploiting VLC to launch custom backdoors.