The Chinese Cicada hacking group, tracked as APT10, has been observed evolving its infection tactics and using a new version of the LODEINFO malware. The group is consistently targeting government and public sector organizations, diplomatic agencies, media groups, and think tanks in Japan.
New infection tactics
Kaspersky researchers, in their report, stated that the group is using a spear-phishing email, a self-extracting archive (SFX) file, and the DOWNIISSA downloader to deploy LODEINFO.
In addition to this, it abuses a DLL side-loading flaw in K7Security Suite, a legitimate security software, to deliver the malware.
The other initial infection tactics used by APT10 include VBA + DLL sideloading, SFX + DLL sideloading, SFX + DLL sideloading + additional BLOB file, and VBA + a new downloader shellcode DOWNIISSA.
LODEINFO variants
LODEINFO operators have been updating the malware very frequently and continuously, to make it leaner and more efficient.
This year, researchers have so far observed six new variants of LODEINFO; the latest being v0.6.7, released in September.
In this latest variant, the most notable modifications include support for Intel 64-bit architecture, thus allowing it to target more devices.
Other notable updates include the implementation of the Vigenere cipher, complex infection flow with fileless malware, partial XOR encryption, C2 communication packets with a unique data structure and variable length, and password-protected documents.
The bottom line
LODEINFO has become a sophisticated cyberespionage tool with constantly evolving infection methods, implants, and loader modules. The use of updated TTPs and improvised malware makes its detection challenging. Moreover, through LODEINFO, APT10 could be targeting other countries in the near future.