Stone Panda APT deploys the LODEINFO malware against Japan

Stone Panda Threat Group APT LODEINFO Malware Japan Chinese Hackers Spear-Phishing

Japanese organisations, including media and government, have recently been targeted by a China-backed APT group known as Stone Panda that employed a new stealthy infection chain against its targets.

Stone Panda, which also goes by APT10, Cicada, Potassium, and Bronze Riverside, is a China-backed state group that was first found active as far back as 2009. Several malware strains have been linked to the group, such as SigLoader and SodaMaster, which they use in many of their campaigns.

Since 2021, Stone Panda APT has been targeting Japanese domestic organisations using a web shell called ‘Jackpot.’ However, researchers have found a recent set of attacks from the group between March and June this year, aiming to deploy the LODEINFO malware.

Stone Panda APT uses an infected MS Word file and a self-extracting SFX archive file enclosed in spear-phishing emails to propagate the LODEINFO malware.

Using the SFX file, the attackers could display a decoy of a harmless Word file to conceal its infection chain from the victims. Once the macro is enabled in the Word file, it will drop a ZIP archive containing two malicious files that help progress the attack chain, one of which is the “NRTOLF[.]exe,” an authentic executable used to load a DLL called “K7SysMn1[.]dll”.

Another initial infection method was also seen employed by Stone Panda APT, wherein they used a password-protected MS Word file to deliver a fileless downloader called “DOWNIISSA” once the macros were enabled.

The DOWNIISSA fileless downloader is used to communicate with the threat group’s C2 server, retrieving an encrypted BLOB payload of the LODEINFO malware. LODEINFO is a backdoor malware that, once launched in a victim’s computer, will execute arbitrary shellcodes, take screenshots, and collect and send stolen files to the C2 server.

LODEINFO malware was first spotted in 2019, with about six versions found between March and September this year. Some of the malware’s improvements include an enhanced evasion technique, avoiding attacks in the US, revising the list of supported commands from the operators, and expanding support for Intel 64-bit architecture.

Currently, the malware is mostly deployed by its operators against organisations in Japan.

Protecting the world’s leading Enterprise and Government organisations

iZOOlogic enables the business to pro-actively detect and respond to external threat

Protecting the world’s leading Enterprise and Government organisations

iZOOlogic enables the business to pro-actively detect and respond to external threat

Protecting the world’s leading Enterprise and Government organisations

iZOOlogic enables the business to pro-actively detect and respond to external threat

Protecting the world’s leading Enterprise and Government organisations

iZOOlogic enables the business to pro-actively detect and respond to external threat

Protecting the world’s leading Enterprise and Government organisations

iZOOlogic enables the business to pro-actively detect and respond to external threat

Protecting the world’s leading Enterprise and Government organisations

iZOOlogic enables the business to pro-actively detect and respond to external threat

Protecting the world’s leading Enterprise and Government organisations

iZOOlogic enables the business to pro-actively detect and respond to external threat

Protecting the world’s leading Enterprise and Government organisations

iZOOlogic enables the business to pro-actively detect and respond to external threat

Stone Panda APT deploys the LODEINFO malware against Japan

Stone Panda APT uses an infected MS Word file and a self-extracting SFX archive file enclosed in spear-phishing emails to propagate the LODEINFO malware.

iZOOlogic

Leave a Reply Cancel Reply

Categories

Contact Us

Contact Us

Solutions

Company

Resources