Summary:
LODEINFO is a malware utilized by the Earth Kasha group, primarily targeting Japan since 2019. Recent campaigns have revealed significant updates in their tactics, techniques, and procedures, expanding their targets to Taiwan and India. The group employs various backdoors, including LODEINFO and NOOPDOOR, and exploits vulnerabilities in public-facing applications for initial access.
Keypoints:
LODEINFO malware has been active since 2019, primarily targeting Japan.
Earth Kasha is the group behind LODEINFO, with connections speculated to APT10.
Recent campaigns have expanded targets to Taiwan and India, focusing on advanced technology and government sectors.
New tactics include exploiting vulnerabilities in SSL-VPN and file storage services.
Earth Kasha uses multiple backdoors, including Cobalt Strike, LODEINFO, and the newly discovered NOOPDOOR.
Credential theft is a primary motivation, utilizing tools like MirrorStealer and legitimate Microsoft tools for data collection.
LODEINFO has undergone continuous updates, with new commands and functionalities added in recent versions.
NOOPDOOR is a sophisticated backdoor with unique communication methods and anti-analysis features.
Trend Micro provides threat intelligence to help organizations mitigate risks associated with these threats.
MITRE Techniques:
Initial Access (T1190): Exploits public-facing applications to gain initial access.
Execution (T1203): Uses malicious documents or links in spear-phishing emails.
Credential Access (T1003): Utilizes tools like MirrorStealer to dump stored credentials.
Persistence (T1053): Registers malicious applications as scheduled tasks for persistence.
Lateral Movement (T1021): Uses SMB and other methods to move laterally within the network.
Exfiltration (T1041): Exfiltrates data over RDP sessions or backdoor channels.
Command and Control (T1071): Employs various communication methods with C&C servers.
IoC:
No IoC Found
Full Research: https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html