The Chinese state-sponsored menace actor referred to as Stone Panda has been noticed using a brand new stealthy an infection chain in its assaults aimed toward Japanese entities.
Targets embody media, diplomatic, governmental and public sector organizations and think-tanks in Japan, based on twin reviews printed by Kaspersky.
Stone Panda, additionally referred to as APT10, Bronze Riverside, Cicada, and Potassium, is a cyber espionage group identified for its intrusions towards organizations recognized as strategically important to China. The menace actor is believed to have been energetic since at the least 2009.
The newest set of assaults, noticed between March and June 2022, contain using a bogus Microsoft Word file and a self-extracting archive (SFX) file in RAR format propagated by way of spear-phishing emails, resulting in the execution of a backdoor referred to as LODEINFO.
While the maldoc requires customers to allow macros to activate the killchain, the June 2022 marketing campaign was discovered to drop this methodology in favor of an SFX file that, when executed, shows a innocent decoy Word doc to hide the malicious actions.
The macro, as soon as enabled, drops a ZIP archive containing two recordsdata, one in every of which (“NRTOLF.exe”) is a reputable executable from the K7Security Suite software program that is subsequently used to load a rogue DLL (“K7SysMn1.dll”) by way of DLL side-loading.
The abuse of the safety software apart, Kaspersky stated it additionally found in June 2022 one other preliminary an infection methodology whereby a password-protected Microsoft Word file acted as a conduit to ship a fileless downloader dubbed DOWNIISSA upon enabling macros.
“The embedded macro generates the DOWNIISSA shellcode and injects it within the present course of (WINWORD.exe),” the Russian cybersecurity firm stated.
DOWNIISSA is configured to speak with a hard-coded distant server, utilizing it to retrieve an encrypted BLOB payload of LODEINFO, a backdoor able to executing arbitrary shellcode, take screenshots, and exfiltrate recordsdata again to the server.
The malware, first seen in 2019, has undergone quite a few enhancements, with Kaspersky recognized six completely different variations in March, April, June, and September 2022.
The modifications embody enhanced evasion methods to fly underneath the radar, halting execution on machines with the locale “en_US,” revising the checklist of supported instructions, and increasing help for Intel 64-bit structure.
“LODEINFO malware is up to date very steadily and continues to actively goal Japanese organizations,” the researchers concluded.
“The up to date TTPs and enhancements in LODEINFO and associated malware […] point out that the attacker is especially centered on making detection, evaluation and investigation more durable for safety researchers.”