31 July 2024Ravi LakshmananCyber ​​Attack / Threat Intelligence

Malware

Japanese organizations are the target of a Chinese nation-state threat actor that leverages malware families such as LODEINFO and NOOPDOOR to extract sensitive information from compromised hosts while in some cases hiding for periods of two to three years. Stay under the radar.

An Israeli cybersecurity company called Cyberson is tracking the campaign. Coil Spearidentifying it as related to the intrusion set known as APT10, also known as Bronze Riverside, ChessMaster, Cicada, Cloudhopper, MenuPass, MirrorFace, Purple Typhoon (formerly Potassium), and Stone Panda.

“The actors behind NOOPDOOR not only used LODEINFO during the campaign, but also used a new backdoor to extract data from compromised enterprise networks,” it said. said.

Results come weeks after JPCERT/CC. warned of cyber attacks carried out by a threat actor targeting Japanese institutions using two malware strains.

Earlier this January, ITOCHU Cyber ​​and Intelligence Disclosure that it has discovered an updated version of the LODEINFO backdoor that incorporates anti-analysis techniques, highlighting the use of spear phishing emails to spread malware;

Cyber ​​security

Trend Micro, which originally coined the term menupass to describe a threat actor. Features APT10 consists of two clusters as an umbrella group called Artha Tengshe and Artha Kasha. Hacking Crew has been operating since at least 2006.

Malware
Image source: Trend Micro

While Earth Tengshe Associated with Sig Loader and Soda Master distribution campaigns, Earth Kasha is attributed with exclusive use of LODEINFO and NOOPDOOR. Both subgroups have been observed to target public-facing applications with the goal of extracting data and information across the network.

Also called Earth Tengshe. Related In another cluster codenamed Bronze Star (aka Emperor Dragonfly or Storm-0401), which has a running history Short-lived ransomware families Like LockFile, Atom Silo, Rook, Night Sky, Pandora, and Cheerscrypt.

Malware
Image source: JPCERT/CC

On the other hand, using EarthKasha for public-facing applications from April 2023, Array AG (CVE-2023-28461Fortinet (CVE-2023-27997), and itself (CVE-2023-45727) LODEINFO and NOOPDOOR (aka The hidden face).

Cyber ​​security

LODEINFO is loaded with several commands to execute arbitrary shellcode, log keystrokes, take screenshots, kill processes, and send files back to the actor-controlled server. NOOPDOOR, which shares code similarities with an APT10 backdoor called the ANEL Loader, features the ability to upload and download files, execute shellcode, and run more programs.

“Ludinfo appears to be used as a primary backdoor and NOOPDOOR acts as a secondary backdoor, persisting within a compromised corporate network for more than two years,” Siberison said. “Threat actors maintain persistence within an environment by abusing fixed tasks.”

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.





Source link