Stone Panda, the state-sponsored threat actor from China, has been seen using a new stealthy infection chain in its strikes against Japanese targets. According to two studies released by Kaspersky, the targets in Japan include think tanks, the media, and diplomatic, governmental, and public sector institutions.
A cyber espionage group known as Stone Panda, aka APT10, Bronze Riverside, Cicada, and Potassium, is well-known for its hacking attempts targeting targets believed to be strategically important to China. At least since 2009, the threat actor is thought to have been active. The most recent assaults, seen between March and June 2022, make use of a fake Microsoft Word document and a self-extracting archive (SFX) file in RAR format that is sent via spear-phishing emails. This causes a backdoor known as LODEINFO to be activated.
While the June 2022 campaign abandoned this approach in favor of an SFX file that, when launched, shows an innocuous fake Word document to hide the malicious activity, the June 2022 campaign still requires victims to allow macros in order to trigger the killchain. Once activated, the macro drops a ZIP package with two files, one of which (NRTOLF.exe) is a real executable from the K7Security Suite program that is then used to load a malicious DLL (K7SysMn1.dll) through DLL side-loading.
Aside from the misuse of the security program, Kaspersky claimed to have found another first infection technique in June 2022 when a password-protected Microsoft Word file served as a conduit for the distribution of a fileless downloader known as DOWNIISSA upon enabling macros. The Russian cybersecurity firm said the embedded macro creates the DOWNIISSA shellcode and injects it into the active process (WINWORD.exe). In order to acquire LODEINFO’s encrypted BLOB payload, a backdoor capable of running arbitrary shellcode, capturing screenshots, and exfiltrating data back to the server, DOWNIISSA is set up to interact with a hard-coded remote server.
Kaspersky discovered six distinct malware versions in March, April, June, and September 2022. The ransomware, initially discovered in 2019, has undergone significant changes. The modifications include improved evasion strategies to avoid detection, pausing execution on computers with the locale “en_US,” updating the list of the allowed commands and adding support for Intel 64-bit architecture.
“LODEINFO malware is updated very frequently and continues to actively target Japanese organizations,” concluded the researchers. “The updated TTPs and improvements in LODEINFO and related malware […] indicate that the attacker is particularly focused on making detection, analysis and investigation harder for security researchers.”