It targets a variety of high-privileged organizations for cyberespionage, including Japanese media outlets, diplomatic orgs, government agencies, public sectors, and Think Tanks.
Since 2019 all the illicit operations and activities of APT10 were followed in Japan by security analysts. While, at least since 2009, there is evidence that this group of threat actors has been active on the internet.
To prevent detections from taking place, the threat actors are continuously evolving the techniques they use to spread infection, and their custom backdoor, “LODEINFO” as well.
Evolution of LODEINFO
There have been six brand-new versions of LODEINFO released in 2022 by the authors of the malware. In September 2022, the most recent version was released, v0.6.7 with several updated features and new enhanced TTPs.
The LODEINFO version v0.5.6 was released by APT10 at the end of 2021 and added multiple encryption layers for the C2 communication. This was achieved by the APT10 group by using the Vigenere cipher key and also by using junk data that was generated randomly.
According to the securelist report, There are 21 commands that are supported by the LODINFO backdoor in version v0.5.6, and they are obfuscated using XOR. In addition to that, a brand-new hash calculation algorithm has also been introduced for the API function names in v0.5.9.
It has been reported that version 0.6.2 has added support for 64-bit platforms. There were ten unnecessary commands that were removed from the malware version 0.6.3 which was released in June 2022, and the authors removed these commands for better efficiency.
Security Software Exploitation
APT10 attacks in Japan began to use a new infection vector in March 2022, when Kaspersky discovered that there was a change in the APT10 attacks.
They mainly used the following attack vectors:-
- Spear-phishing email
- Self-extracting (SFX) RAR file
- Exploit DLL side-loading flaw in security software
There is a malicious DLL called K7SysMn1.dll included in the RAR archive, along with the legitimate NRTOLD.exe executable that is part of K7Security Suite software. In order to work properly, NRTOLD.exe attempts to load the K7SysMn1.dll file which mimics to be a legitimate version.
LODEINFO v0.6.3 Commands
Here below we have mentioned all the commands used by the LODEINFO v0.6.3:-
- command: Show embedded backdoor command list.
- send: Download a file from C2.
- recv: Upload a file to C2.
- memory: Inject the shellcode in memory. This command has been updated to support the 64-bit shellcode in v0.6.2 and later versions.
- kill: Kill a process using process ID.
- cd: Change directory.
- ver: Send malware and system information including current OS version, malware version, process ID, EXE file path, system username, current directory, C2 and Mutex name.
- print: Make a screenshot.
- ransom: Encrypt files by a generated AES key, which is also encrypted with RSA using the hardcoded RSA key.
- comc: Execute command using WMI.
- config: Just shows a “Not available.” message from v0.5.6 until v0.6.5.
- ls: Get a file list.
- rm: Delete a file.
- mv: Move a file.
- cp: Copy a file.
- cat: Upload a file to C2.
- mkdir: Make a directory.
- keylog: Check for Japanese keyboard layout. Save keystrokes, datetime and active window name. Uses 1-byte XOR encryption and a file %temp%%hostname%.tmp.
- ps: Show process list.
- pkill: Terminate a process.
- autorun: Set/delete persistence.
The use of stealthy infection chains, constant evolution, and target expansion are key characteristics of the operations that are targeted at Japanese organizations by APT10.
However, its rapid and constant evolution makes this malware more complex to analyze and difficult to detect.