Các bài viết liên quan:
Chinese state-sponsored threat actor Stone Panda has been observed using a new stealth infection chain in attacks against Japanese entities.
The targets included media, diplomatic, government and public sector organizations and think tanks in Japan, according to the Kaspersky report.
Stone Panda, also known as APT10, Bronze Riverside, Cicada, and Potassium, is a cyber espionage group known for their infiltrations against organizations identified as strategically significant to China. The blackmailer is said to have been active since at least 2009.
Latest set of attacks, observed from March to June 2022, related to file usage Microsoft The bogus word and self-extracting archive (SFX) in RAR format were spread via phishing email, leading to the execution of a backdoor called LODEINFO.
While maldoc requires users to enable macros to trigger the killchain, the June 2022 campaign was found to have removed this method to switch to an SFX file that, when executed, displays a forged Word document in malicious to conceal malicious activities.
The macro, once activated, drops a ZIP archive containing two files, one of which (“NRTOLF.exe”) is a legitimate executable from the K7Security Suite software that is then used to load a Rogue DLL (“K7SysMn1.dll”) via the payload DLL.
Besides the security application abuse, Kaspersky said it also discovered another initial infection method in June 2022, in which a password-protected Microsoft Word file acts as a link to provide an unfiltered downloader called DOWNIISSA with macros enabled.
Cybersecurity company Russia says: “The embedded macro will generate the DOWNIISSA shell code and inject it into the current process (WINWORD.exe).
DOWNIISSA is configured to communicate with a hardcoded remote server, use it to retrieve LODEINFO’s encrypted BLOB payload, a backdoor capable of executing arbitrary shellcode, taking screenshots and exfiltrate the files back to the server.
Malware This version, first seen in 2019, has undergone many improvements, with Kaspersky identifying six different versions in March, April, June and September 2022.
Changes include enhanced dodging techniques for flying under the radar, halting execution on machines with the “en_US” language, modifying the list of supported commands, and expanding support for the architecture. 64-bit by Intel.
“LODEINFO malware is updated very frequently and continues to actively target Japanese organizations,” the researchers concluded.
“Updated and improved TTPs in LODEINFO and related malware […] indicates that attackers are particularly focused on making it more difficult for security researchers to detect, analyze, and investigate. “
