Posted on October 30, 2022 at 8:16 PM

Chinese APT10 Hackers Are Planting LODEINFO Malware In Antivirus Software

This Chinese Cicada hacking group has been discovered abusing antivirus security software to install a new version of the LODEINFO malware against Japanese organizations.

The hacking group, tracked as APT10, was observed targeting entities such as government and public sector organizations, diplomatic agencies, media groups, and think tanks in Japan. They targeted these organizations for high-level cyber espionage.

Cybersecurity firm Kaspersky reported that hackers are constantly changing their custom backdoors and attacking methods to evade detection. They have mastered the act of keeping their activities very low while maintaining persistence on the targeted systems. Kaspersky has been following the APT10 operations in Japan since 2019.

Kaspersky Published Two Reports

The cybersecurity firm has published two reports about the activities of the threat actors. In one of the reports, the firm explained the evolution of LODEINFO malware. In the other report, Kaspersky focused on the infection methods of the APT10.

Kaspersky discovered that the APT10 attacks in Japan started using another infection vector in March 2022. They combined their attacking tools by abusing a DLL side-loading flaw in the security network and using a self-extracting (SFX) RAR file and a spear-phishing mail.

The RAR has a malicious DL named K7SysMin1.dll and the original K7Security Suite software executable, NRTOLD.exe. When the NRTOLD.exe is executed, it will try loading the main K7SysMin1.dll file that is usually added to the software suite.

But the executable doesn’t look for the DLL in a particular folder, which enables the malware developers to build a malicious DLL with the same name as K7SysMn1.dll.

The Malware Loading Process Makes Detection Very Difficult

If the threat actors store the malicious DLL in the same folder as the main executables, the malicious DLL will be loaded automatically when launched. This new executable is loaded with the LODEINFO malware.

And once the malware is loaded side-by-side with the legitimate security application, it becomes very difficult for other security software to detect it as malicious.

“K7SysMn1.dll contains a BLOB with an obfuscated routine not observed in past activities,” Kaspersky notes in the report.

The cybersecurity firm added that the BLOB is grouped into four-byte chunks, with each of them stored in one of the export functions randomly named in the library.

Kaspersky added that the export functions rearrange the BLOB in a specific buffer before using a one-byte XOR key to decode the LODEINFO shellcode.

The archive is extracted in the background before initiating the infection process. Once activated, the victim is shown a decoy document in the foreground to prevent them from detecting the infection.

Kaspersky stated that it discovered another APT10 infection chain variant in June 2022. According to the security firm, the variant utilized a downloader shellcode planted through a password-protected Microsoft Office document carrying a VBA code.

However, rather than DLL side-loading, the threat group utilized macro code to deliver and load the shellcode directly to the WINWORD.exe process.

Six Versions Of LODEINFO Was Released This Year

According to the researchers, the malware authors released six new versions of the LODEINFO this year, with the latest, version v0.6.7, released two months ago.

The LODEINFO v0.5.6 was released toward the end of last year. Following the release, the APT10 group used the Vigenere cipher key to add multiple C2 communication encryption layers in combination with randomly generated junk data.

Also, the version utilized the XOR obfuscation tool for the 21 commands, with the support of a backdoor. In addition, the APT10 group introduced a new harsh calculation algorithm for the API function name in version 0.5.9.

The threat actors added support for the 64-bit platforms in version 0.6.2, which widened the malware’s targeting areas. The same version added an exemption for systems using the “en_US” locale to prevent any unwanted infection.

The LOADINFO v.0.6.3 version was released in June 2022. At the time, the threat actors made the backdoor leaner and more efficient by removing ten unwanted commands.

The commands that are still in the present versions include

Change directory

Config (incomplete implementation)

Download a file from C2

Encrypt files by a generated AES key

Execute a command using WM I

Inject the shellcode into the memory

Kill a process using a process ID

Send malware and system information

Show embedded backdoor command list

Take a screenshot

Upload a file to C2

The Threat actor’s operations usually have similar features, which include stealthy infection chains, better evasion, and expansion of the targeted platform, as well as a constant evolution.