The Chinese language state-sponsored risk actor generally known as Stone Panda has been noticed using a brand new stealthy an infection chain in its assaults aimed toward Japanese entities.
Targets embody media, diplomatic, governmental and public sector organizations and think-tanks in Japan, in response to twin experiences printed by Kaspersky.
Stone Panda, additionally referred to as APT10, Bronze Riverside, Cicada, and Potassium, is a cyber espionage group recognized for its intrusions in opposition to organizations recognized as strategically vital to China. The risk actor is believed to have been lively since a minimum of 2009.
The most recent set of assaults, noticed between March and June 2022, contain using a bogus Microsoft Phrase file and a self-extracting archive (SFX) file in RAR format propagated through spear-phishing emails, resulting in the execution of a backdoor referred to as LODEINFO.
Whereas the maldoc requires customers to allow macros to activate the killchain, the June 2022 marketing campaign was discovered to drop this technique in favor of an SFX file that, when executed, shows a innocent decoy Phrase doc to hide the malicious actions.
The macro, as soon as enabled, drops a ZIP archive containing two recordsdata, certainly one of which (“NRTOLF.exe”) is a official executable from the K7Security Suite software program that is subsequently used to load a rogue DLL (“K7SysMn1.dll”) through DLL side-loading.
The abuse of the safety software apart, Kaspersky stated it additionally found in June 2022 one other preliminary an infection technique whereby a password-protected Microsoft Phrase file acted as a conduit to ship a fileless downloader dubbed DOWNIISSA upon enabling macros.
“The embedded macro generates the DOWNIISSA shellcode and injects it within the present course of (WINWORD.exe),” the Russian cybersecurity firm stated.
DOWNIISSA is configured to speak with a hard-coded distant server, utilizing it to retrieve an encrypted BLOB payload of LODEINFO, a backdoor able to executing arbitrary shellcode, take screenshots, and exfiltrate recordsdata again to the server.
The malware, first seen in 2019, has undergone quite a few enhancements, with Kaspersky recognized six totally different variations in March, April, June, and September 2022.
The adjustments embody enhanced evasion strategies to fly below the radar, halting execution on machines with the locale “en_US,” revising the listing of supported instructions, and lengthening assist for Intel 64-bit structure.
“LODEINFO malware is up to date very regularly and continues to actively goal Japanese organizations,” the researchers concluded.
“The up to date TTPs and enhancements in LODEINFO and associated malware […] point out that the attacker is especially targeted on making detection, evaluation and investigation more durable for safety researchers.”
