LODEINFO is a backdoor malware that is distributed through spear-phishing attacks [3]. It has recently undergone updates and enhancements, as reported by cybersecurity researchers at ITOCHU Cyber & Intelligence. This article provides a detailed description of LODEINFO [1] [2] [3], including its capabilities, attack methods, and attribution.
Description
LODEINFO, initially documented by Kaspersky in November 2022 [1] [2], is known for its ability to execute arbitrary shellcode [1], capture screenshots [1] [2] [3], and exfiltrate files to a server controlled by the attacker [1]. It has been used in targeted attacks against Japanese political establishments, with Stone Panda [3], a Chinese nation-state actor [3], being attributed as the perpetrator. The attack chain typically begins with phishing emails containing malicious Word documents that execute VBA macros to launch downloader shellcode [3]. In 2023, LODEINFO infections have also utilized remote template injection methods [3].
Notably, LODEINFO checks the language settings of Microsoft Office to determine if the targeted system is Japanese. In version 0.7.1 [2] [3], a new intermediate stage was introduced [2], where a shellcode downloader retrieves a file disguised as a Privacy-Enhanced Mail (PEM) from a command-and-control (C2) server. This file is then loaded into memory, serving as the backdoor [2]. The most recent version of LODEINFO is 0.7.3 [3].
To effectively detect LODEINFO, it is crucial to implement a robust malware scanning and detection solution capable of identifying malware in memory.
Conclusion
LODEINFO poses a significant threat due to its advanced features and the targeted nature of its attacks. The enhancements and updates observed in recent versions indicate the continuous development and adaptation of this malware. Organizations and individuals should remain vigilant against spear-phishing attacks and ensure the implementation of comprehensive security measures, including up-to-date malware detection solutions.
As the threat landscape evolves, it is essential for cybersecurity professionals to stay informed about emerging malware variants like LODEINFO. Ongoing research and collaboration within the cybersecurity community are crucial for developing effective mitigations and countermeasures against such threats.
References
[1] https://vulners.com/thn/THN:5D5F1B5EBFB64E28BA947D819DBF3BAA
[2] https://owasp.or.id/2024/01/25/lodeinfo-fileless-malware-evolves-with-anti-analysis-and-remote-code-tricks/
[3] https://thehackernews.com/2024/01/lodeinfo-fileless-malware-evolves-with.html