Japanese organizations are being targeted by a Chinese nation-state threat that uses a family of malware such as LODEINFO and NOOPDOOR to collect sensitive information from compromised hosts while remaining undetected in some cases for periods of two to three years .
Israeli cybersecurity firm Cybereason is tracking a company called Spear Cuckooattributing it as being associated with a well-known intrusion suite called APT10, which is also known as Bronze Riverside, ChessMaster, Cicada, Cloudhopper, MenuPass, MirrorFace, Purple Typhoon (formerly Potassium), and Stone Panda.
“The actors behind NOOPDOOR not only used LODEINFO during the campaign, but also used the new backdoor to steal data from compromised corporate networks,” it said. said.
The conclusions were drawn a few weeks after JPCERT/CC warned threat actor-orchestrated cyberattacks against Japanese entities using two types of malware.
Earlier this January ITOCHU Cyber & Intelligence opened that it discovered an updated version of the LODEINFO backdoor that includes anti-analysis techniques, highlighting the use of phishing emails to spread malware.
Trend Micro, which originally coined the term MenuPass to describe the threat, has characterized APT10 names Tenshe Land and Kash Land as an umbrella group consisting of two clusters. The hacker group is known to have been active since at least 2006.
For now Land of Tenshe associated with distribution companies SigLoader and SodaMaster, Earth Kasha is credited with the exclusive use of LODEINFO and NOOPDOOR. Both sub-groups have been seen targeting public programs to steal data and information on the network.
The land of Tenshe is also called connected to another cluster with a code name Bronze starlight (aka Emperor Dragonfly or Storm-0401), which has a history of operation short-lived ransomware families like LockFile, Atom Silo, Rook, Night Sky, Pandora and Cheerscrypt.
On the other hand, Earth Kasha was found to have changed its original access methods using publicly available programs since April 2023, exploiting unpatched flaws in Array AG (CVE-2023-28461), Fortinet (CVE-2023-27997), and Proself (CVE-2023-45727) distribution instances of LODEINFO and NOOPDOOR (aka HiddenFace).
LODEINFO comes with several commands to execute arbitrary shellcode, record keystrokes, take screenshots, kill processes, and dump files back to an actor-controlled server. NOOPDOOR, which shares code similarities with another APT10 backdoor known as ANEL Loader, has the functionality to upload and download files, execute shellcode, and launch other programs.
“LODEINFO appears to be used as a primary backdoor, with NOOPDOOR acting as a secondary backdoor, maintaining resilience in a compromised corporate network for over two years,” Cybereason said. “Threat Actors Maintain Persistence in Environments by Abusing Scheduled Tasks.”
