Japanese organizations have been targeted by Chinese nation-state threat actors who are leveraging malware families such as LODEINFO and NOOPDOOR to collect sensitive information from compromised hosts, in some cases operating covertly and undetected for two to three years.
Israeli cybersecurity firm Cybereason described the campaign as ” Cuckoo’s spearThe report said the malware is related to a known set of intrusions known as APT10, which is also known as Bronze Riverside, ChessMaster, Cicada, Cloudhopper, MenuPass, MirrorFace, Purple Typhoon (formerly known as Potassium) and Stone Panda.
“The attackers behind NOOPDOOR not only utilized LODEINFO during their campaign, but also utilized a new backdoor to exfiltrate data from compromised corporate networks,” the report said.
The discovery comes weeks after JPCERT/CC warned about the use of the two malware strains to carry out cyber attacks targeting organizations in Japan.
Earlier in January this year, Itochu Cyber and Intelligence revealed that it had discovered an updated version of the LODEINFO backdoor that incorporated anti-analysis techniques, highlighting the use of spear-phishing emails to spread the malware.
Trend Micro originally coined the term “MenuPass” to describe the threat actors, but the company describes APT10 as an umbrella group consisting of two groups, “Earth Tengshe” and “Earth Kasha,” a hacking group known to have been active since at least 2006.
Earth Tengshe has been linked to campaigns distributing SigLoader and SodaMaster, while Earth Kasha is said to only use LODEINFO and NOOPDOOR. Both subgroups have been observed targeting public-facing applications with the intent of stealing data and information within the network.
Earth Tengshe is also said to be associated with another cluster codenamed Bronze Starlight (also known as Emperor Dragonfly or Storm-0401), which has a history of operating short-lived ransomware families such as LockFile, Atom Silo, Rook, Night Sky, Pandora and Cheerscrypt.
Meanwhile, Earth Kasha has been found leveraging unpatched vulnerabilities in Array AG (CVE-2023-28461), Fortinet (CVE-2023-27997), and Proself (CVE-2023-45727) instances to distribute LODEINFO and NOOPDOOR (aka HiddenFace) since April 2023, exploiting public-facing applications to switch initial access methods.
LODEINFO is packed with multiple commands to execute arbitrary shellcode, log keystrokes, take screenshots, terminate processes, and exfiltrate files to attacker-controlled servers. Sharing code similarities with another APT10 backdoor known as ANEL Loader, NOOPDOOR has the ability to upload and download files, execute shellcode, and run more programs.
“LODEINFO was used as the primary backdoor, with NOOPDOOR acting as a secondary backdoor, and appears to have persisted within compromised corporate networks for over two years,” Cybereason said. “Threat actors continue to maintain persistence within environments by abusing scheduled tasks.”
