Cybersecurity researchers discovered an updated version called a “backdoor” Lorde Message Distributed via spear phishing attacks.
The findings come from Japanese company ITOCHU Cyber & Intelligence, which said the malware “has been updated with new features and changes to anti-analysis (avoidance analysis) techniques.”
LODEINFO (versions 0.6.6 and 0.6.7) was first documented by Kaspersky in November 2022, detailing its ability to execute arbitrary shellcode, take screenshots, and exfiltrate files back to attacker-controlled servers.
A month later, ESET disclosed attacks against Japanese political institutions that led to the deployment of LODEINFO.
The backdoor is the work of Chinese nation-state group Stone Panda (also known as APT10, Bronze Riverside, Cicada, Earth Tengshe, MirrorFace, and Potassium), which has a history of orchestrating attacks against Japan since 2021.
The attack chain begins with phishing emails containing malicious Microsoft Word files that, when opened, execute VBA macros to launch downloader shellcode that ultimately executes the LODEINFO implant.
The LODEINFO infection path observed in 2023 was also observed leveraging a remote template injection method to retrieve and execute a malicious macro hosted on the adversary’s infrastructure every time a victim opened a decoy Word file containing a template.
Additionally, a check to verify Microsoft Office’s language setting to confirm if it was Japanese was said to have been added sometime around June 2023, but a month later it was removed in an attack exploiting LODEINFO version 0.7.1.
“In addition, the file name of the malicious document itself has been changed from Japanese to English,” Itochu noted. “Based on this, we believe that v0.7.1 is likely to be used to attack language environments other than Japanese.”
Another notable change in the LODEINFO version 0.7.1 attack is the introduction of a new intermediate stage, which involves the shellcode downloader obtaining a file disguised as a Privacy Enhanced Email (PEM) from a C2 server, which in turn loads the backdoor directly in memory.
The downloader has similarities to a known fileless downloader called DOWNIISSA and is based on a self-patching mechanism to hide malicious code, a method of encoding command and control (C2) server information, and decryption from fake PEM files. data structure.
“The LODEINFO backdoor shellcode is a fileless malware that allows attackers to remotely access and operate infected hosts,” the company said. Samples discovered by the company in 2023 and 2024 contained additional commands. The latest version of LODEINFO is 0.7.3.
“As a countermeasure, since LODEINFO’s downloader shellcode and backdoor shellcode are both fileless malware, it is necessary to introduce a product that can scan and detect the malware in memory in order to detect it,” it added.
