Japanese Hackers Target Japanese Firms with LODEINFO and NOOPDOOR Malware
Japanese establishments are the goal of a Chinese state-backed threat actor that employs malware families like LODEINFO and NOOPDOOR to gather confidential information from compromised hosts while discreetly remaining undetected in some instances for a period ranging from two to three years.
An Israeli cybersecurity firm Cybereason is monitoring the operation under the moniker Cuckoo Spear, linking it to a recognized intrusion group called APT10, which is also identified as Bronze Riverside, ChessMaster, Cicada, Cloudhopper, MenuPass, MirrorFace, Purple Typhoon (formerly Potassium), and Stone Panda.
“The perpetrators behind NOOPDOOR not only used LODEINFO during the operation but also employed the new backdoor to extract data from compromised corporate networks,” it stated.
The discoveries come weeks after JPCERT/CC alerted about cyber onslaughts carried out by the malicious actor targeting Japanese entities using the two malware variants.
At the start of this year, ITOCHU Cyber & Intelligence revealed that it had discovered an upgraded version of the LODEINFO backdoor integrating anti-analysis methods, emphasizing the utilization of spear-phishing emails to spread the malware.
Trend Micro, which originally coined the term MenuPass to describe the threat actor, has described APT10 as a covering group encompassing two clusters it refers to as Earth Tengshe and Earth Kasha. The hacking gang has been active since at least 2006.
Meanwhile, Earth Tengshe is associated with operations distributing SigLoader and SodaMaster, Earth Kasha exclusively employs LODEINFO and NOOPDOOR. Both factions have been caught targeting public-facing apps with the intent of extracting data and info from the network.
Earth Tengshe is also reportedly connected to another cluster codenamed Bronze Starlight (also known as Emperor Dragonfly or Storm-0401), which has a background of running short-term ransomware strains like LockFile, Atom Silo, Rook, Night Sky, Pandora, and Cheerscrypt.
Conversely, Earth Kasha has been observed altering its initial entry methods by exploiting public-facing apps since April 2023, leveraging unpatched flaws in Array AG (CVE-2023-28461), Fortinet (CVE-2023-27997), and Proself (CVE-2023-45727) systems to distribute LODEINFO and NOOPDOOR (also known as HiddenFace).
LODEINFO includes multiple commands to carry out arbitrary shellcode execution, log keystrokes, capture screenshots, end processes, and send files back to a server controlled by the actor. NOOPDOOR, exhibiting code similarities with another APT10 backdoor identified as ANEL Loader, offers features for uploading and downloading files, executing shellcode, and launching additional programs.
“LODEINFO seems to function as the main backdoor while NOOPDOOR acts as a secondary backdoor, maintaining persistence within the compromised corporate network for over two years,” Cybereason mentioned. “Adversaries ensure persistence within the environment by misusing scheduled tasks.”
About Author
