Brother
Professional
- Messages
- 2,590
- Reaction score
- 526
- Points
- 113
The updated LODEINFO backdoor allows hackers to remotely access and manage infected hosts.
Japanese security researchers from ITOCHU have identified an updated version of the LODEINFO backdoor , which is distributed through attacks using the spear-phishing method.
The LODEINFO malware (versions 0.6.6 and 0.6.7), first recorded by Kaspersky Lab in November 2022, has the ability to execute arbitrary shellcode, create screenshots, and exfiltrate files to servers controlled by intruders. A month later, ESET uncovered attacks on Japanese political institutions that also used LODEINFO.
Responsibility for creating the backdoor lies with the Chinese hacker group Stone Panda (also known as APT10, Bronze Riverside, Cicada, Earth Tengshe, MirrorFace and Potassium), which has been actively attacking Japan since 2021.
Attacks usually start with phishing emails containing malicious Microsoft Word documents. Opening such documents triggers VBA macros that trigger the loading of the shellcode that ultimately performs LODEINFO implantation.
A feature of subsequent versions of LODEINFO, fixed throughout 2023, is the use of remote template injection methods to extract and execute malicious macros. The function of checking the language settings of Microsoft Office for the use of Japanese was also added to the backdoor, but it was removed in subsequent attacks using LODEINFO version 0.7.1.
The attacks that deliver LODEINFO version 0.7.1 include the introduction of a new intermediate stage, which includes downloading a file disguised as Privacy-Enhanced Mail (PEM), followed by loading the backdoor directly into memory.
The loader has similarities to the well-known fileless loader DOWNIISSA, based on the mechanism of "Self-Patching" to hide malicious code.
The LODEINFO backdoor is a fileless malware that allows cybercriminals to remotely access and manage infected hosts. In the backdoor samples of late 2023 and early 2024, the researchers identified additional commands that make the malware even more dangerous. The latest version of LODEINFO is currently 0.7.3.
ITOCHU emphasizes the importance of implementing digital defense solutions for companies that can scan and detect malware directly in the target device's memory to effectively counter such threats.
Japanese security researchers from ITOCHU have identified an updated version of the LODEINFO backdoor , which is distributed through attacks using the spear-phishing method.
The LODEINFO malware (versions 0.6.6 and 0.6.7), first recorded by Kaspersky Lab in November 2022, has the ability to execute arbitrary shellcode, create screenshots, and exfiltrate files to servers controlled by intruders. A month later, ESET uncovered attacks on Japanese political institutions that also used LODEINFO.
Responsibility for creating the backdoor lies with the Chinese hacker group Stone Panda (also known as APT10, Bronze Riverside, Cicada, Earth Tengshe, MirrorFace and Potassium), which has been actively attacking Japan since 2021.
Attacks usually start with phishing emails containing malicious Microsoft Word documents. Opening such documents triggers VBA macros that trigger the loading of the shellcode that ultimately performs LODEINFO implantation.
A feature of subsequent versions of LODEINFO, fixed throughout 2023, is the use of remote template injection methods to extract and execute malicious macros. The function of checking the language settings of Microsoft Office for the use of Japanese was also added to the backdoor, but it was removed in subsequent attacks using LODEINFO version 0.7.1.
The attacks that deliver LODEINFO version 0.7.1 include the introduction of a new intermediate stage, which includes downloading a file disguised as Privacy-Enhanced Mail (PEM), followed by loading the backdoor directly into memory.
The loader has similarities to the well-known fileless loader DOWNIISSA, based on the mechanism of "Self-Patching" to hide malicious code.
The LODEINFO backdoor is a fileless malware that allows cybercriminals to remotely access and manage infected hosts. In the backdoor samples of late 2023 and early 2024, the researchers identified additional commands that make the malware even more dangerous. The latest version of LODEINFO is currently 0.7.3.
ITOCHU emphasizes the importance of implementing digital defense solutions for companies that can scan and detect malware directly in the target device's memory to effectively counter such threats.
