LODEINFO Ever Since 2023
Commencing early in 2023, Earth Kasha has broadened their focus towards Japan, Taiwan, and India. Judging by the skewed incident count, although we assume Japan remains the core target for Earth Kasha, it’s noteworthy that select high-profile institutions in Taiwan and India were also singled out. The sectors under attack revolve around high-end technology organizations and governmental bodies.
Diversifying their Tactics, Techniques, and Procedures (TTPs) in the Preliminary Access phase, Earth Kasha now exploits public-facing applications like SSL-VPN and file storage services. Vulnerabilities in enterprise products like Array AG (CVE-2023-28461), Proself (CVE-2023-45727), and FortiOS/FortiProxy (CVE-2023-27997) were exploited in the wild. Earth Kasha continually altered their approach to exploiting these vulnerabilities. Subsequent to gaining entry, they implanted numerous backdoors in the victim’s network for persistence, including Cobalt Strike, LODEINFO, and the recently unearthed NOOPDOOR, which will be delineated later on.
Spotted TTPs in Post-Intrusion
Our exhaustive scrutiny of the actions during the Post-Intrusion phase exposed that the primary aim of the attack was pilfering the victim’s information and data. Earth Kasha initially unearthed Active Directory configuration and domain user information employing legitimate Microsoft utilities like csvde.exe, nltest.exe, and quser.exe to achieve this end. Below are the actual commands utilized by the assailant.
- csvde.exe -f all.csv –u
- nltest.exe /domain_trusts
- quser.exe
They subsequently accessed the file server and attempted to locate documents pertaining to the system information of the client’s network simply by running “dir” commands recursively. Interestingly, upon scrutinizing their actions, the operator might manually peruse the content of the documents. The purloined information could aid the perpetrator in identifying the subsequent valuable target.
Earth Kasha then executed various methodologies to obtain credentials. One such method involved the employment of their custom malware, MirrorStealer, to extract stored credentials in applications. MirrorStealer, originally unveiled by ESET in a report available at this link, functions as a credential dumper targeting various applications such as browsers (Chrome, Firefox, Edge, and Internet Explorer), email clients (Outlook, Thunderbird, Becky, and Live Mail), Group Policy Preferences, and SQL Server Management Studio.
Given that MirrorStealer may have been tailored to extract credentials on client machines, Earth Kasha resorted to an alternate method to pilfer OS credentials. It was observed that the adversary misused vssadmin to duplicate registry hives and ntds.dit from the Active Directory server via volume shadow copy. The SAM registry hive houses the NTLM hash of local machine users, while ntds.dit holds the NTLM hash of all domain users. Following the creation of a volume shadow copy, the adversary issued the following commands.
- copy <AD_SERVER_IP>c$windowstempntds.dit .
- copy <AD_SERVER_IP>c$windowstempsystem .
- copy <AD_SERVER_IP>c$windowstempsam .
Although the exact method of their exploitation couldn’t be ascertained, it was noted that Earth Kasha managed to compromise the domain admin in most instances. Post-domain admin compromise, they disseminated backdoors (LODEINFO or NOOPDOOR) to multiple machines by transferring components over SMB and exploiting schetasks.exe or sc.exe for lateral movement. The ensuing are the actual commands employed by the adversary to proliferate malicious components over admin shares.
- copy SfsDllSample.exe <IP>c$windowstempSfsDllSample.exe
- copy SfsDll32.dll <IP>c$windowstempSfsDll32.dll
- copy mssitlb.xml <IP>C$Windowssystem32UIAnimation.xml
- copy ShiftJIS.dat <IP>C$Windowssystem32ComputerToastIcon.contrast-white.dat
As the intrusion advanced, Earth Kasha initiated exfiltration of the purloined information. The adversary accumulated data, comprising ntds.dit, SYSTEM, SAM registry hives, and other intriguing files on a single victim machine, compressing these into a unified archive using the makecab command. Although confirmation regarding the modus operandi for this data exfiltration was lacking, it likely occurred over the backdoor channel. Earth Kasha also transferred intriguing files in the victim network via the RDP session. They copied such files to the RDP source host through SMB (with “tsclient” as the RDP source host).
- tsclientCaaaAll PC List.xlsx
- tsclientCaaaAll IP List.xlsx
- tsclientCaaaNetwork Diagram.xlsx
Malicious Software Assessment
In Earth Kasha’s prior campaign, LODEINFO served as their primary backdoor. However, in the latest campaign, we noticed an array of backdoors such as Cobalt Strike, LODEINFO, and the previously unreported NOOPDOOR. These backdoors were selectively chosen for each incident.
About Author
