Threat Report: LODEINFO’s Persistent Fileless Attacks

By
Arms Cyber
1/29/2024
Arms Cyber
Read More
Need our help?
Contact us
Like what you're reading?
More Insights

LODEINFO’s shift from Japanese to English filenames hints at an expanding target landscape and possible strategic pivot to the West.

Campaign Across Borders

LODEINFO, a potent fileless malware brought to light by Japanese cybersecurity firm ITOCHU, has emerged as a significant player in the cyber threat landscape, its roots tracing back to Chinese nation-state actor Stone Panda. Also known as APT10, Bronze Riverside, MirrorFace, and Red Apollo, Stone Panda is most widely known for its targeted assaults on Japanese political entities. There are, however, indicators of a tactical shift toward Western targets.

LODEINFO assumes a pivotal role as a backdoor, executing arbitrary shellcode, discreetly capturing screenshots, and surreptitiously exfiltrating files to a server controlled by the threat actor. Campaigns usually begin with meticulously crafted phishing emails which activate VBA macros within malicious Word documents upon interaction. This sets off a sequence leading to the seamless deployment of the LODEINFO implant, exemplifying the meticulous planning and execution of covert cyber operations. The deliberate targeting of Japanese political entities adds an additional layer of complexity to these already sophisticated tactics.

Shape-Shifting Tactics

Responding to dynamic shifts in the digital threat landscape throughout 2023, LODEINFO has undergone a significant evolution, demonstrating a notable increase in sophistication. One key enhancement involves the adoption of remote template injection methods, which allow the malware to fetch and execute malicious macros directly from the adversary’s infrastructure. This maneuver allows LODEINFO to obfuscate its activities by hosting malicious code externally, complicating detection efforts and reinforcing stealth capabilities. Furthermore, the introduction of language-setting checks in June 2023 showcases the malware’s adaptability and targeted approach. These nuanced tactics showcase LODEINFO’s strategic acumen and ability to tailor operations to specific contexts.

Version 0.7.1: Language Adaptation

The unveiling of LODEINFO’s version 0.7.1 marked a pivotal moment in its evolutionary trajectory, signifying a substantial leap in capabilities and tactics. Notably, a shift in the filename of malicious documents from Japanese to English hints at a potential expansion of LODEINFO’s target landscape, suggesting a strategic pivot to a more diverse set of targets beyond its initial focus. In addition to the linguistic shift, version 0.7.1 introduces a notable tactical innovation involving an intermediate stage in the infection process. During this phase, a downloader component is deployed to fetch a file disguised as a Privacy-Enhanced Mail (PEM) from a command-and-control (C2) server. This file, once obtained, is directly loaded into the victim system’s memory. By introducing this intermediary step, the malware enhances its ability to avoid detection and prolonged exposure to security measures.

Version 0.7.3: Ongoing Threat

In its most recent iteration, version 0.7.3, LODEINFO has taken a significant leap, providing attackers with advanced capabilities to remotely access and manipulate compromised systems. This heightened level of sophistication empowers threat actors to operate discreetly from a remote vantage point, expanding the potential impact of cyber intrusions. The malware’s evolved features in this version underscore the ongoing challenges faced by defenders in countering its fileless tactics, necessitating a proactive and adaptive approach to cybersecurity.

Staying Ahead on the Digital Chessboard

LODEINFO’s narrative serves as a compelling reminder — vigilance is not merely an option; it is an imperative. Crucial to a resilient defense posture are regular employee training programs, ongoing monitoring, and the exchange of threat intelligence. Adaptive strategies such as Moving Target Defense (MTD) and deception techniques are also essential. To survive, defenders must strategically outmaneuver adversaries, embracing a stance as unyielding as the threats they confront.

How Arms Cyber Can Help

Ransomware attacks present a significant threat due to their ability to evade traditional defenses. At Arms Cyber, we offer an innovative Endpoint Protection Platform (EPP) designed to tackle this challenge head-on. Our solution employs proactive measures such as runtime Moving Target Defenses (MTD), deception techniques, command and behavior analysis, and anti-detonation defenses to reliably detect and prevent ransomware attacks while minimizing false positives. By preventing the disablement of NGAV and EDR solutions and thwarting in-memory manipulation of modern malware, organizations can trust in the effectiveness of their cybersecurity investments without worrying about attacker evasion.