LODEINFO is a fileless malware delivered via spear-phishing Maldocs that targets Japanese entities, evolving through multiple versions up to v0.7.3 (2024) with enhanced anti-analysis and memory-resident capabilities. This analysis highlights the infection chain, stealth techniques, and the expanding feature set used by the operators, including remote template delivery, complex payload deployment, and extended backdoor functionality. Hashtags: #LODEINFO #APT10
Keypoints
- LODEINFO operates as a fileless malware, commonly starting with spear-phishing emails and Maldocs to infect targets in Japan.
- Versions advanced through 2023–2024 show updated infection flows, including 64-/32-bit shellcode selection and improved anti-analysis techniques.
- Remote Template Injection was introduced to download and execute malicious templates, aiding stealth and detection evasion.
- The Maldoc contains VBA that assembles Base64-encoded, split shellcode and performs memory injection to deploy LODEINFO components.
- The Loader decrypts data from a Fake PEM file using Base64, XOR, AES, and an HMAC-SHA1-derived key, then loads the Backdoor payload in memory.
- LODEINFO uses obfuscation (Control-Flow Flattening, Junk code) and a DLL side-loading approach (Frau.dll loading Elze.exe) to hinder analysis.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Infection starts via a malicious Word Maldoc attached to spear-phishing emails. Quote: ‘The infection is known to occur when a user opens a malicious Word file (hereafter Maldoc) attached to the spear-phishing email.’
- [T1059.005] Visual Basic – VBA in Maldoc checks OS architecture and executes the matching Downloader Shellcode. Quote: ‘The Macro first checks the OS architecture of the target device and then executes the Downloader Shellcode that matches that architecture.’
- [T1055] Process Injection – LODEINFO is injected into memory during infection. Quote: ‘LODEINFO is eventually injected into memory leading infection.’
- [T1105] Ingress Tool Transfer – Downloader Shellcode downloads the Fake PEM file from the C2 server. Quote: ‘The Downloader Shellcode downloads the Fake PEM file from the C2 server.’
- [T1027] Obfuscated/Compressed Files and Information – Shellcode is Base64-encoded, split into parts, and obfuscated to evade detection. Quote: ‘Each Downloader Shellcode is encoded using Base64 and separated as many split parts…’
- [T1574.001] Hijack Execution Flow – DLL Side-Loading – Frau.dll loads LODEINFO Backdoor Shellcode as a payload into memory. Quote: ‘Frau.dll loads the LODEINFO Backdoor Shellcode as a payload into memory.’
- [T1486] Data Encrypted for Impact – Ransom command encrypts files using AES and encrypts the AES key with a hardcoded RSA key. Quote: ‘Encrypt files using a generated AES key, and simultaneously encrypt that AES key using a hardcoded RSA key.’
- [T1056.001] Keylogging – Backdoor command keylog captures keystrokes and window information. Quote: ‘Save the keystrokes, date and time, and name of the active window from the suspect endpoint.’
- [T1547] Boot or Logon Autostart Execution – The malware implements persistence via an autorun-like mechanism. Quote: ‘autorun – Set and remove persistence.’
- [T1036] Masquerading – Maldoc filename changed from Japanese to English, suggesting language-targeted masquerading. Quote: ‘the filename of the Maldoc itself has been changed from Japanese to English.’
Indicators of Compromise
- [IP Address] Attacker infrastructure / C2 servers – 167.179.106.224, 167.179.77.72, 172.104.112.218, 202.182.116.25, 45.76.197.236, 45.76.222.130, 45.77.183.161
- [MD5] Sample hashes – 69dd7fd355d79db0325816569ae2129a, E82d98bae599cd172bb194adbdc76873, and 2 more hashes
Read more: https://blog-en.itochuci.co.jp/entry/2024/01/24/134100