January 25, 2024 at 11:38AM
Cybersecurity researchers uncovered an updated version of the backdoor malware LODEINFO distributed through spear-phishing attacks. Its capabilities include executing shellcode, taking screenshots, and exfiltrating files to an actor-controlled server. The Chinese nation-state actor Stone Panda is behind the backdoor, with attacks targeting Japan since 2021. Notable changes in the latest version, 0.7.3, include additional commands and a new intermediate stage for delivery.
Based on the meeting notes, here are the key takeaways:
1. Updated Backdoor – A new version of the LODEINFO backdoor, distributed through spear-phishing attacks, has been discovered by cybersecurity researchers.
2. Features & Techniques – The updated malware includes new features and changes to anti-analysis techniques.
3. History of Attacks – This backdoor has been linked to a Chinese nation-state actor known as Stone Panda, which has a history of targeting Japan since 2021.
4. Attack Methods – The malware is deployed through phishing emails with malicious Microsoft Word documents, utilizing VBA macros to execute downloader shellcode and ultimately the LODEINFO implant.
5. Infection Paths – LODEINFO has been observed using remote template injection methods to retrieve and execute malicious macros.
6. Language Settings – Changes have been made to the malware to check for Japanese language settings and to target environments in languages other than Japanese.
7. New Intermediate Stage – Version 0.7.1 introduces a new stage involving the downloader fetching and loading the backdoor directly in memory.
8. Countermeasures – It is essential to introduce a product that can scan and detect malware in memory to counter the fileless nature of LODEINFO.
Should you require any further details or specific actions to be taken based on these takeaways, feel free to let me know!