LODEINFO

MirrorFace has created and continued to develop custom strains of malware including LODEINFO.

August 2023 ... Japanese research institute ... Exploited a vulnerability in FortiOS/FortiProxy → NOT via spearphishing

During our investigation of the attacks in March 2022, we observed a spear-phishing email with a malicious attachment installing malware persistence modules...

comc Execute command using WMI.

Once opened, the doc file shows a Japanese message to enable the following VBA code... the malicious macro code injects and loads an embedded shellcode in the memory of the WINWORD.exe process directly.

comc Execute command using WMI.

The embedded VBA code creates the folder C:\Users\Public\TMWJPA\ and drops a zip file named GFIUFR.zip...

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or batch files in the Windows Startup folder.

During the memory injection process... the malware checks the first byte of the second stage shellcode to determine the shellcode architecture... it uses the basic Windows APIs such as VirtualAllocEx(), WriteProcessMemory() and CreateRemoteThread() for memory injection of the 32-bit shellcode and NtAllocateVirtualMemory(), NtWriteVirtualMemory() and RtlCreateUserThread() for supporting the memory injection of the 64-bit shellcode.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or batch files in the Windows Startup folder.

This LODEINFO v0.5.6 shellcode extracted from a loader module demonstrates several enhanced evasion techniques... The beacon also contains a hardcoded key... randomly generated junk data is appended to the end of the data, possibly to evade beaconing detection based on packet size.

The attackers exploited the name of a well-known Japanese politician... The file name and the decoy document suggest the target was the Japanese ruling party or a related organization.

During the memory injection process... the malware checks the first byte of the second stage shellcode to determine the shellcode architecture... it uses the basic Windows APIs such as VirtualAllocEx(), WriteProcessMemory() and CreateRemoteThread() for memory injection of the 32-bit shellcode and NtAllocateVirtualMemory(), NtWriteVirtualMemory() and RtlCreateUserThread() for supporting the memory injection of the 64-bit shellcode.

rm Delete a file.

For the final stage of the infection, DOWNIISSA creates an instance of msiexec.exe and injects the LODEINFO backdoor shellcode in the memory of the process.

In LODEINFO v0.6.2 and later versions, the shellcode has a new feature that looks for the “en_US” locale on the victim’s machine in a recursive function and halts execution if that locale is found.

The malware checks the OS architecture of the infected machine and handles the appropriate loading scheme according to OS architecture and shellcode architecture.

mv Move a file.

keylog Check for Japanese keyboard layout. Save keystrokes, datetime and active window name. Uses 1-byte XOR encryption and a file %temp%\%hostname%.tmp.

During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets.

ps Show process list.

After infecting the target machine, the LODEINFO backdoor beacons out machine information to the C2, such as current time, ANSI code page (ACP) identifier, MAC address and hostname.

ls Get a file list.

In LODEINFO v0.6.2 and later versions, the shellcode has a new feature that looks for the “en_US” locale on the victim’s machine in a recursive function and halts execution if that locale is found.

The malware checks the OS architecture of the infected machine and handles the appropriate loading scheme according to OS architecture and shellcode architecture.

cp Copy a file.

keylog Check for Japanese keyboard layout. Save keystrokes, datetime and active window name. Uses 1-byte XOR encryption and a file %temp%\%hostname%.tmp.

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

print Make a screenshot.

LODEINFO v0.6.2: generating user agent for C2 communications... The malware generates the user agent string using the following hardcoded formatted string... Mozilla/5.0 ... Chrome/%s Safari/537.36.

send Download a file from C2.

recv Upload a file to C2.

ransom Encrypt files by a generated AES key, which is also encrypted with RSA using the hardcoded RSA key.