A recently reported cybersecurity incident has revealed a stealthy infection chain employed by the Chinese state-sponsored group known as Stone Panda. This threat actor has been targeting various entities in Japan, including media outlets, governmental and public sector organizations, as well as think tanks, raising alarms about the potential risk to national security and intellectual property.
Kaspersky’s recent findings, documented in two comprehensive reports, highlight the targeting of these sectors from March to June 2022. Stone Panda, also referred to as APT10, has a history of espionage activities focused on organizations deemed strategically important to Chinese interests, with operations dating back to 2009.
In this latest wave of attacks, the group has leveraged a combination of malicious Microsoft Word documents and self-extracting RAR files disseminated through spear-phishing emails. These tactics led to the deployment of a backdoor named LODEINFO, which allows for unauthorized access and manipulation of compromised systems.
The unique aspect of these attacks lies in the maldoc’s requirement for users to enable macros to trigger the malicious payload. However, in a notable shift during the June campaign, the threat actor opted to use a self-extracting file that presented a benign decoy document while executing harmful processes in the background.
When macros are enabled, the payload initiates by extracting a ZIP archive that contains a legitimate but deceptively used executable from K7Security Suite, which is then responsible for loading a malicious dynamic link library (DLL) through a technique known as DLL side-loading. This method underscores the sophistication with which Stone Panda operates, misusing trusted software to further its malicious objectives.
In addition, Kaspersky researchers identified another method of infection in June, involving a password-protected Word file that delivered a fileless downloader named DOWNIISSA upon macro activation. This approach highlights the group’s innovative tactics in circumventing traditional security measures.
According to Kaspersky, DOWNIISSA generates shellcode that it injects into the Word process (WINWORD.exe), establishing communication with a hard-coded remote server to retrieve an encrypted payload for LODEINFO. This backdoor is designed to execute arbitrary shellcode, capture screenshots, and perform unauthorized file exfiltration, further emphasizing the intelligence and capabilities of the attackers.
The evolution of LODEINFO, which first emerged in 2019, indicates a consistent pattern of upgrades aimed at evading detection. Recent enhancements included changes to its execution tactics, alterations to supported commands, and broadened compatibility with Intel 64-bit architecture. Kaspersky researchers noted with concern the sustained focus of Stone Panda on Japanese targets, pointing out that the group has developed tactics that complicate detection and analysis by security professionals.
This incident underscores the pressing need for organizations to be vigilant against sophisticated cyber threats. The use of advanced tactics and persistent improvements in malware like LODEINFO illuminate the ongoing evolution of threats facing businesses globally, making it imperative for companies to adopt comprehensive cybersecurity strategies that align with the latest in threat intelligence.
