This article examines the evolution of LODEINFO, a custom backdoor utilized by the Chinese Advanced Persistent Threat (APT) group APT10. LODEINFO has undergone multiple updates and enhancements, with six new versions released in 2022 alone. The most recent version, v0.6.7, was made available in September. Noteworthy modifications to the malware include the inclusion of encryption layers for command and control (C2) communication, the adoption of a new hash calculation algorithm for API function names, and support for 64-bit platforms. APT10 has been active since at least 2009, primarily targeting high-privileged Japanese organizations for cyberespionage. Their operations employ various attack vectors, such as spear-phishing emails, self-extracting RAR files, and the exploitation of DLL side-loading vulnerabilities in security software. The intricate nature of LODEINFO poses challenges in terms of analysis and detection, thereby contributing to the covert nature of APT10’s activities.
Key Takeaways
- APT10, a Chinese APT group, has been actively using LODEINFO malware as its custom backdoor since at least 2009.
- LODEINFO has evolved over time, with six new versions released in 2022. The latest version, v0.6.7, was released in September 2022.
- APT10 employs various attack vectors, including spear-phishing emails, self-extracting RAR files, and DLL side-loading vulnerabilities in security software.
- APT10’s operations primarily target Japanese organizations, including media outlets, diplomatic organizations, government agencies, public sectors, and Think Tanks. Their constant evolution and the complexity of LODEINFO make it challenging to analyze and detect their activities.
Timeline of LODEINFO Evolution
The timeline of LODEINFO’s evolution reveals that six new versions of the malware were released in 2022, with version v0.6.7 being the latest release in September 2022. This indicates a continuous development and refinement of the malware by APT10. Additionally, version v0.5.6 was released in 2021, further emphasizing the ongoing evolution of LODEINFO. The frequent updates and new features added in each version present significant challenges for analysis techniques and detection. APT10’s ability to constantly improve the malware’s functionality and sophistication makes it difficult for security professionals to keep up with its capabilities. The complexity of LODEINFO adds another layer of complexity to the detection process, making it a formidable threat in the cybersecurity landscape.
Security Software Vulnerabilities
Security software vulnerabilities have been exploited by APT10 to spread malware and gain unauthorized access to targeted systems. APT10 has leveraged these vulnerabilities as part of their stealthy infection chains. One specific vulnerability exploited by APT10 is the DLL side-loading flaw in security software. By including a malicious DLL, such as the K7SysMn1.dll, in a RAR archive, APT10 tricks the system into loading the malicious code. This allows them to establish a backdoor and execute various commands through the LODEINFO malware. To mitigate security software exploits, organizations should regularly update their security software to ensure it is patched against known vulnerabilities. Additionally, implementing strict security measures, such as network segmentation and monitoring for suspicious activities, can help detect and prevent APT10’s infiltration attempts.
| Security Software Vulnerabilities | Mitigating Security Software Exploits |
|---|---|
| DLL side-loading flaw | Regularly update security software |
| Malicious DLL inclusion | Implement network segmentation |
| Exploitation of RAR files | Monitor for suspicious activities |
| Spear-phishing emails | Conduct thorough security assessments |
Characteristics of APT10’s Operations
One significant aspect of APT10’s operations is its continuous evolution and expansion of targets, which necessitates ongoing efforts to detect and mitigate their activities.
-
Stealthy Techniques:
-
APT10 employs sophisticated and stealthy techniques to infiltrate and maintain access to its targets. These techniques include DLL side-loading, spear-phishing emails, and the use of self-extracting RAR files. By utilizing these methods, APT10 can evade detection and operate covertly within the targeted systems.
-
Target Selection:
-
APT10 specifically targets Japanese organizations, including media outlets, diplomatic organizations, government agencies, public sectors, and think tanks. Their focus on high-privileged organizations indicates a strategic interest in obtaining sensitive information for cyberespionage purposes. By continuously evolving their techniques and expanding their target selection, APT10 demonstrates a commitment to adapt to changing circumstances and maximize their effectiveness in carrying out their malicious activities.
Frequently Asked Questions
How does APT10 initially gain access to its targets in order to deploy LODEINFO?
APT10 gains initial access to its targets in its cyber espionage campaigns through techniques such as spear-phishing emails, which serve as an attack vector. Social engineering plays a crucial role in APT10’s initial access strategy.
What are some of the specific targets that APT10 has focused on in Japan?
Specific targets of APT10 in Japan include high-privileged organizations such as Japanese media outlets, diplomatic organizations, government agencies, public sectors, and Think Tanks. APT10 exploits vulnerabilities such as spear-phishing emails and DLL side-loading flaw in security software.
How does APT10 distribute the LODEINFO malware to its targets?
APT10 distributes the LODEINFO malware through spear-phishing emails, self-extracting RAR files, and the exploitation of DLL side-loading flaws in security software. These tactics are employed to deliver the malware to its targets, primarily Japanese organizations.
Can you provide more information on the DLL side-loading flaw that APT10 exploits in security software?
APT10 exploits a DLL side-loading flaw in security software to distribute the LODEINFO backdoor. The flaw allows them to include a malicious DLL, such as K7SysMn1.dll, in a RAR archive, which is then loaded by the NRTOLD.exe executable, enabling stealthy backdoor exploitation.
What are some of the key features or capabilities of the LODEINFO backdoor?
LODEINFO, the custom backdoor used by APT10, incorporates advanced evasion techniques to hinder analysis and detection. It utilizes encryption and obfuscation in its code to enhance stealth and protect communication with the command-and-control server.
