LODEINFO underwent multiple upgrades in 2022, expanding its backdoor capabilities, encryption, and evasion techniques while continuing to target primarily Japanese entities. The article details complex C2 communications, 64-bit memory injection, and evolving backdoor commands as attackers refine their stealth and resilience. #LODEINFO #APT10 #Japan #WMI #SandboxEvasion
Keypoints
- LODEINFO was updated across several versions in 2022 (e.g., v0.5.6, v0.5.9, v0.6.2, v0.6.3, and later) with new features and encryption changes.
- The backdoor beacon includes host data (time, ACP, MAC, hostname) and a hardcoded Vigenere key, plus random junk data to evade detection.
- v0.5.9 introduces a new hashing algorithm to resolve API function names, with per-sample XOR variations to hinder analysis.
- v0.6.2 adds en_US locale-based sandbox evasion, 64‑bit shellcode memory loading, and a user-agent generator for C2 communications based on installed Chrome versions.
- Memory injection now supports both 32‑bit and 64‑bit architectures using Windows APIs (e.g., VirtualAllocEx, WriteProcessMemory, CreateRemoteThread).
- v0.6.3 reduces the number of backdoor commands from 21 to 11, while still embedding commands like comc, autorun, and config in later versions.
- LODEINFO continues to target Japanese organizations with increasingly sophisticated C2 data structures, encryption, and anti-analysis features, underscoring the need for collaborative security research.
MITRE Techniques
- [T1071] Web Protocols – C2 communications using encoded and encrypted payloads. “The data to be sent to the C2 is produced using the second key, the encrypted header, and the payload through the complex steps described above.”
- [T1047] Windows Management Instrumentation – Execute command using WMI. “comc: Execute command using WMI.”
- [T1055] Process Injection – Memory injection of shellcode using Windows APIs. “In the shellcode injection process, it uses the basic Windows APIs such as VirtualAllocEx(), WriteProcessMemory() and CreateRemoteThread() … and NtAllocateVirtualMemory(), NtWriteVirtualMemory() and RtlCreateUserThread() for supporting the memory injection of the 64-bit shellcode.”
- [T1027] Obfuscated/Compressed Files and Information – 2-byte XOR obfuscation for command identifiers. “Two-byte XOR for four-byte stack strings of backdoor command identifiers.”
- [T1132] Data Encoding – Base64 payloads and URL-safe variants. “base64 (url-safe with replaced padding from ‘=’ to ‘.’)”
- [T1486] Data Encrypted for Impact – AES/RSA encryption of files for ransom. “Encrypt files by a generated AES key, which is also encrypted with RSA using the hardcoded RSA key.”
- [T1497] Virtualization/Sandbox Evasion – Evasion of en_US environment. “Recursive call if the ‘en-US’ locale is found”
- [T1547] Boot or Logon Autostart Execution – Persistence via autorun commands. “autorun: Set/delete persistence.”
Indicators of Compromise
- [Hash] Malicious document – da20ff8988198063b56680833c298113
- [Hash] LODEINFO zip implant – 89bd9cf51f8e01bc3b6ec025ed5775fc
- [Hash] Implants that contain LODEINFO loader and a one-byte XORed shellcode – 15b80c5e86b8fd08440fe1a9ca9706c9, 6780d9241ad4d8de6e78d936fbf5a922
- [Hash] SFX file – 76cdb7fe189845a0bc243969dba4e7a3, edc27b958c36b3af5ebc3f775ce0bcc7
- [Domain] Hardcoded C2 domain – www.dvdsesso[.]com
- [IP] Hardcoded C2 IPs – 103.175.16[.]39, 172.104.72[.]4
Read more: https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/