Skip to main content

Threat Group Continuously Updates Malware to Evade Antivirus Software

 

Julien Maury
lodeinfo malware

Kaspersky researchers recently found evidence of an advanced threat group continuously updating its malware to evade security products, similar to a release cycle for developers.

Kaspersky revealed that APT10, also known as the Cicada hacking group, has successfully deployed the LODEINFO malware in government, media, public sector, and diplomatic organizations in Japan.

LODEINFO has been observed engaged in a spear-phishing campaign since December 2019 by JPCERT/CC. The sophisticated malware was hidden in malicious Word file attachments. So far, nothing unusual for a sophisticated threat actor, but JPCERT/CC concluded that LODEINFO was “under development,” as they found the version number “v0.1.2” during their investigation.

Kaspersky researchers have been tracking the malware since then, and they’ve discovered evidence revealing “high-confidence attribution to APT10.” They observed another spear-phishing campaign in March 2022.

The malicious Word documents contained fake security notices that invited the victims to “Enable Editing” and “Enable Content,” which executes malicious VBA code. Then, attackers were able to infect their targets and set command and control (C2) communications to exfiltrate confidential data.

Again, nothing really new for such attacks. The interesting part is that “the LODEINFO implants and loader modules were also continuously updated to evade security products and complicate manual analysis by security researchers.”

Also read: How Hackers Evade Detection

Can Security Tools Stop Evolving Threats?

The growing trend of jamming investigations is here to stay, and threat actors are now doing professional IT maintenance, with release cycles. Researchers even found an update that skips machines with the “en_US” locale:

In LODEINFO v0.6.2 and later versions, the shellcode has a new feature that looks for the “en_US” locale on the victim’s machine in a recursive function and halts execution if that locale is found.

Evading Windows built-in security systems such as Windows Defender is nothing new and many techniques have been disclosed by security researchers in public POCs (Proofs of Concept).

YouTube is full of detailed tutorials for achieving that, using simple file renaming (e.g., known binaries such as Mimikatz) or obfuscated sequences in PowerShell commands and Python scripts.

Clearly, companies and individuals should not rely exclusively on built-in security. However, the same also goes for antivirus software and other anti-malware solutions.

Of course, it does not mean you should not use those tools, but nothing replaces security awareness training, active monitoring, regular pentesting, and threat hunting. However, even advanced security products and good practices do not guarantee 100% safety, and it’s an endless struggle between attackers and defenders.

However, it would certainly be worse without security professionals, as you can’t fight something you can’t quantify. You need humans to operate these tools and analyze threats and IoCs (Indicators of Compromise). You also need platforms where you can share your knowledge and collaborate with other teams, which sometimes leads to catching APT groups.

Also read: Ransomware Group Uses Vulnerability to Bypass EDR Products

Defense in Depth

Complete security can’t be achieved, especially against global actors or state-sponsored groups. As long as you need employees, you will get spear-phishing campaigns and other social engineering attacks.

There’s also a thin line between security and employees’ privacy rights, but the real problem occurs when the system gets too permissive. Beyond automated scanners and detection tools, the least privilege principle can harden initial access and limit the risk of lateral movements.

Employees can be targeted for several reasons:

  • bad practices and lack of security awareness
  • bad security policies that push users towards predictable strategies (e.g., weak passwords or common patterns)
  • too much permissions or unnecessary root accesses
  • disappointment, conflicts with the management

If employees do not need macro-enabled documents, then disallow them (and notifications too) in your office productivity software. Group policies and templates can be used to achieve that globally. If it’s too complicated, cloud platforms usually provide such functionality and the granularity you need.

More generally, if an employee does not need administrator privileges to work, sysadmin should give them a proper role with less permissions. This is basic role management.

If employees are allowed to use “123456” for their password, it’s a major risk. If MFA or 2FA is available but not mandatory, that’s a significant risk too.

In a nutshell, the lack of security culture often shifts the responsibility to the end-users, which can result in painful breaches.

These recommendations might seem a bit paradoxical for such highly-evasive campaigns and skilled hackers who focus on evading malware analysis. However, cybercriminals usually exploit classic flaws to get initial access.

Likewise, post-exploitation may involve a mix of basic exploits and highly technical approaches, so defense in-depth is recommended. In the best-case scenario, the attack will simply fail, but if that’s not the case, you will slow their progression, at least.



Threat Group Continuously Updates Malware to Evade Antivirus Software | eSecurityPlanet

Comments

Post a Comment

Popular posts from this blog

Apple Issues Urgent Patch for Zero-Day Flaw Targeting iOS, iPadOS, macOS, and Safari

  Zero-Day / Endpoint Security Apple has released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari web browser to  address  a zero-day flaw that it said has been actively exploited in the wild. The WebKit bug, cataloged as  CVE-2023-37450 , could allow threat actors to achieve arbitrary code execution when processing specially crafted web content. The iPhone maker said it addressed the issue with improved checks. Credited with discovering and reporting the flaw is an anonymous researcher. As with most cases like this, there are scant details about the nature and the scale of the attacks and the identity of the threat actor behind them. But Apple noted in a terse advisory that it's "aware of a report that this issue may have been actively exploited." The updates, iOS 16.5.1 (a), iPadOS 16.5.1 (a), macOS Ventura 13.4.1 (a), and Safari 16.5.2, are available for devices running the following operating system versions: iOS 16.5.1 and iPadOS 16.5.1 macOS Ventu
Post a Comment
Read more

Critical Security Flaw in Social Login Plugin for WordPress Exposes Users' Accounts

Website Security / Vulnerability A critical security flaw has been disclosed in miniOrange's  Social Login and Register plugin  for WordPress that could enable a malicious actor to log in as any user-provided information about email address is already known. Tracked as CVE-2023-2982 (CVSS score: 9.8), the authentication bypass flaw impacts all versions of the plugin, including and prior to 7.6.4. It was addressed on June 14, 2023, with the release of version 7.6.5 following responsible disclosure on June 2, 2023. "The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address," Wordfence researcher István Márton  said . The issue is rooted in the fact that the encryption key used to secure the information during login using social media accounts is hard-coded, thus leading to a scenario where attackers could create a
Read more