Overview
Since its first appearance in December 2019, the LODEINFO malware has emerged as a formidable cyber threat, specifically targeting Japanese organizations through sophisticated spear-phishing campaigns. This malware, delivered via malicious attachments in phishing emails, has gained attention for its stealthy capabilities and ability to execute a wide range of malicious activities, from process injection to data exfiltration. What sets LODEINFO apart from many other malware strains is its intricate use of encryption and obfuscation techniques, making it particularly difficult for cybersecurity defenses to detect and analyze its behavior.
LODEINFO’s infection begins with a seemingly innocuous Word document attached to phishing emails. Once a victim opens the document and enables macros, the malware swiftly embeds itself in the system, executing commands to evade detection. The use of rundll32.exe to inject its payload into legitimate system processes like svchost.exe allows LODEINFO to blend into normal system activity, concealing its presence from antivirus software and endpoint detection systems. Once embedded, LODEINFO communicates with its command-and-control (C2) server, awaiting further instructions from the attackers.
Targets
Information
How they operate
Initial Infection and Execution
The journey of LODEINFO begins with spear-phishing emails containing malicious Microsoft Word document attachments. These documents typically prompt users to enable macros, a common feature in Office applications used to automate repetitive tasks. However, in the case of LODEINFO, enabling macros triggers the execution of embedded malicious code. Once the user enables macros, the malware is instantiated on the host system using a command executed by rundll32.exe. This command navigates to the %ProgramData% directory and executes LODEINFO in the background, while the original Word document closes, thereby reducing user suspicion. Following this, LODEINFO spawns a svchost.exe process and injects its payload, running it as a new thread. This stealthy method allows the malware to operate under the guise of legitimate system processes, making detection challenging.
Data Transmission and Command Execution
Once operational, LODEINFO establishes communication with specific external hosts, primarily its C2 servers. It employs HTTP POST requests to send data, which includes system information such as the device’s name, language environment, and MAC address. The data transmitted is encrypted using AES and subsequently encoded in BASE64 format to obfuscate its contents. This encrypted communication helps to protect the data from interception and analysis.
The LODEINFO malware listens for commands from the C2 servers, which can include executing PE files, running shellcode, uploading or downloading files, killing processes, sending file lists, and reporting the malware version. This versatile command set allows attackers to maintain control over infected systems and execute various malicious tasks.
Command and Control Communication
LODEINFO’s communication with the C2 servers is designed to be resilient and covert. The commands sent back from the C2 are also encrypted with AES and encoded in BASE64, mirroring the initial data transmission process. This encryption ensures that even if network traffic is monitored, the contents remain obscured from analysis. The malware’s ability to execute commands such as file uploads, downloads, and process termination underscores its potential for extensive system manipulation and data theft.
Code Structure and Development
Interestingly, parts of the LODEINFO code bear resemblance to the open-source PNG encoder/decoder LodePNG, available on GitHub. Although the specific reasons for utilizing LodePNG’s code are not entirely clear, it indicates that LODEINFO may be leveraging existing frameworks to enhance its functionality or evade detection. The presence of versioning strings such as “v0.1.2” and various debug codes suggests that the malware is still under active development, posing a continuous threat as it evolves.
Conclusion
In conclusion, LODEINFO exemplifies a multi-faceted approach to malware operations, leveraging social engineering tactics for initial access and sophisticated command and control mechanisms to maintain persistence and control over infected systems. As cyber threats become increasingly complex, understanding the technical workings of malware like LODEINFO is crucial for developing effective defense strategies and mitigating risks to organizations worldwide. Continuous monitoring and proactive cybersecurity measures remain essential in combating such evolving threats.
MITRE Tactics and Techniques
Initial Access (TA0001):
Spear Phishing: LODEINFO is primarily distributed through spear-phishing emails containing malicious Word document attachments. When opened, these documents prompt users to enable macros, leading to the execution of the malware.
Execution (TA0002):
User Execution: The malware requires the user to enable macros for the malicious code to run, which is a critical step in its execution chain.
Command and Scripting Interpreter: It uses rundll32.exe to execute commands and run the malware from the Word document.
Persistence (TA0003):
Registry Run Keys / Startup Folder: Once executed, LODEINFO can establish persistence by creating a registry entry to ensure it runs every time the user logs in.
Command and Control (TA0011):
Application Layer Protocol: LODEINFO communicates with its command-and-control (C2) servers using HTTP POST requests, sending encrypted data and receiving commands from the attackers.
Exfiltration (TA0010):
Exfiltration Over Command and Control Channel: LODEINFO sends stolen data back to its C2 servers, including system information, user data, and potentially other sensitive information, using its encrypted communication channels.
References:
