APT10 – Tracking down LODEINFO

After infecting the target machine, the LODEINFO backdoor beacons out machine information to the C2, such as current time, ANSI code page (ACP) identifier, MAC address and hostname.
The beacon also contains a hardcoded key (NV4HDOeOVyL) used later by the age-old Vigenere cipher.
Furthermore, randomly generated junk data is appended to the end of the data, possibly to evade beaconing detection based on packet size.

The encryption function used to send data was also modified, making it even more complicated. As observed in previous variants, it takes the first 48 bytes of the SHA512 hash value of the data to be sent. Then it XORs the data using a four-byte XOR key that is equal to the elapsed running time, and prepends it before the data. The first 16 bytes to be sent are from another SHA512 hash value, this time taken from the previously mentioned hardcoded AES key (NV4HDOeOVyL). It encrypts 11 bytes at the end of a base64-encoded payload (with replaced padding from “=” to “.”) to dynamically generate the second Vigenere cipher key and the variable of the final generated data. The second key is used by the Vigenere cipher to encrypt the base64 encoded header (url-safe replaced padding from “=” to “.”).

Finally, the data to be sent to the C2 is produced using the second key, the encrypted header, and the payload through the complex steps described above.
LODEINFO v0.5.6 backdoor command identifiers are obfuscated with a two-byte XOR operation. Before comparing a command identifier, an XOR operation is applied for each command.
Version 0.5.9 has a new hash calculation algorithm compared to v0.5.8. The hashing algorithm is used by the malware to calculate hashes for API function names, to resolve the function addresses. In this case it seems to be a custom algorithm developed by the actor. The logic of the hash calculation has an XOR operation with a two-byte key at the end and the hardcoded XOR key, which is different in each sample.
In LODEINFO v0.6.2 and later versions, the shellcode has a new feature that looks for the “en_US” locale on the victim’s machine in a recursive function and halts execution if that locale is found.

LODEINFO v0.6.2 is generating user agent for C2 communications and supporting the injection of the 64-bit shellcode in ‘memory’ command.
As for updates implemented in the LODEINFO backdoor commands, the obfuscation method using two-byte XOR encryption for backdoor command identifiers as well as the debug strings remained untouched up to version 0.5.6. However, in version 0.6.3, the actor removed some of the unnecessary backdoor commands to improve the efficiency of the backdoor. The number of backdoor commands was reduced from 21 in v0.6.2 to 11 in v0.6.3.

Sign Up For Threat Alerts

Loading...
Threats Icon

Dec 01, 2022

UNC4191 Threat Group Targets Entities In The...

The UNC4191 threat group was discovered targeting entities in the Philippines with custom malware and...

Threats Icon

Nov 30, 2022

Emotet Leads To Quantum Ransomware Infection

Threat actors were observed using Emotet to gain access to the victim's network and deploy...

Threats Icon

Nov 29, 2022

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that...

Threats Icon

Nov 29, 2022

Ransomware Roundup: Cryptonite Ransomware

FortiGuard Labs has reported on Cryptonite ransomware, which was found to target Microsoft Windows machines...

Threats Icon

Nov 28, 2022

Operation Typhoon: The Cyber Sea Lotus Coveting...

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions...

Threats Icon

Nov 27, 2022

IL-Cert Alert – Active phishing campaign in...

There is a new phishing campaign in Israel. The malware relies upon user execution. The...

Threats Icon

Nov 27, 2022

Emotets Vacation Is Over: No Rest For...

Emotet started as a banking Trojan in spreading via spam campaigns by imitating financial statements,...

Threats Icon

Nov 24, 2022

Aurora: A Rising Stealer Flying Under The...

Aurora is a multipurpose botnet with data collection, information stealer, downloading, and remote access Trojan...

Threats Icon

Nov 23, 2022

Analysis Of The ViperSoftX And VenomSoftX Information...

Torrents and software-sharing sites are being used to target victims across the globe with variants...

Threats Icon

Nov 22, 2022

Wipermania

Wipers have existed for years, and while they haven't been utilized as much as ransomware,...

Threats Icon

Nov 21, 2022

LockBit 3.0 Ransomware Unlocked

Also known as LockBit Black, this ransomware family announced itself stating that it would now...

Threats Icon

Nov 21, 2022

Control Panel Executable Abused For QakBot Infection

QakBot campaign modifies deployment tactics and aims to exploit a DLL hijacking technique that abuses...

Threats Icon

Nov 20, 2022

Earth Preta Spear-Phishing Governments Worldwide

Trend Micro teams have been monitoring a wave of spear-phishing attacks targeting the government, academic,...

Threats Icon

Nov 20, 2022

CISA Alert (AA22-321A) – Hive Ransomware Analysis

Threat actors are using Hive ransomware variants to target the government, communication, critical manufacturing, information...

Threats Icon

Nov 16, 2022

DTrack activity targeting Europe and Latin America

DTrack is a backdoor used by the Lazarus group. It is used by the Lazarus...