LODEINFO Fileless malware evolves with anti-analysis and remote code tricks

LODEINFO Fileless Malware

Cybersecurity researchers have discovered an updated version of a backdoor called LODE INFO that is spread via spearphishing attacks.

The findings come from Japanese company ITOCHU Cyber ​​& Intelligence, which said the malware “has been updated with new features, as well as changes to the anti-analysis techniques (analysis avoidance).”

LODEINFO (versions 0.6.6 and 0.6.7) was first documented by Kaspersky in November 2022, describing its capabilities to execute arbitrary shellcode, take screenshots, and exfiltrate files back to an actor-controlled server.

A month later, ESET announced attacks targeting Japanese political institutions that led to the deployment of LODEINFO.

The backdoor is the work of a Chinese nation-state actor known as Stone Panda (also known as APT10, Bronze Riverside, Cicada, Earth Tengshe, MirrorFace, and Potassium), who has a history of orchestrating attacks on Japan as of 2021.

Attack chains start with phishing emails containing malicious Microsoft Word documents that, when opened, run VBA macros to launch the downloader shellcode that can ultimately run the LODEINFO implant.

LODEINFO Fileless malware

LODEINFO infection paths observed in 2023 have also been observed using remote template injection methods to retrieve and execute malicious macros hosted on adversary infrastructure whenever the victim Opens Word document containing the template.

Additionally, checks would have been added to verify Microsoft Office language settings to confirm if it is Japanese sometime around June 2023, only to be removed a month later in attacks using LODEINFO version 0.7.1.

LODEINFO Fileless malware

“In addition, the filename of the maldoc itself has been changed from Japanese to English,” ITOCHU noted. “From this, we believe that v0.7.1 was likely used to attack environments in languages ​​other than Japanese.”

Another notable change in the attacks that yield LODEINFO version 0.7.1 is the introduction of a new intermediate phase where the shellcode downloader retrieves a file masquerading as a privacy-enhanced email (PEM) from a C2 server, which in turn loads the backdoor directly into memory.

The downloader shares similarities with a well-known fileless downloader called DOWNIISSA, based on the self-patching mechanism to hide malicious code, the encryption method for command-and-control (C2) server information, and the structure of the data extracted from the fake PEM file decoded.

“LODEINFO backdoor shellcode is a fileless malware that allows attackers to remotely access and control infected hosts,” the company said, with examples found in 2023 and 2024 with additional commands. The latest version of LODEINFO is 0.7.3.

“As a countermeasure, since both LODEINFO’s downloader shellcode and backdoor shellcode are fileless malware, it is essential to introduce a product that can scan and detect malware in memory to detect it,” it added .

#LODEINFO #Fileless #malware #evolves #antianalysis #remote #code #tricks

Notify of
Inline Feedbacks
View all comments
Previous Post
SystemBC Malware

SystemBC Malware’s C2 Server Analysis Exposes Payload Delivery Tricks

Next Post
Cyber Threat Landscape

7 key findings and upcoming trends for 2024

Related Posts