Security researchers at Symantec have detected a new information stealer named Infostealer.Logdatter. Actors have used this stealer in attacks targeting Asian governments and public entities in Asia such as aerospace and defense firms, telecommunications companies, and IT organizations. This campaign has been occurring since at least early 2021 and is ongoing. While researchers believe this may be tied to the Chinese APT41 and Mustang Panda threat actors based on similar tactics, techniques, and procedures (TTPs), this could not be confirmed for certain.
In an incident from April 2022 that was detailed by Symantec researchers, the attack began with a malicious DLL that established backdoor access. This DLL was sideloaded using the Bitdefender Crash Handler to load a .dat file. Over the course of the next month, the actors performed a variety of different actions such as downloading ProcDump to steal LSASS data, using the LadonGo penetration testing framework for network reconnaissance, attempting exploits, creating additional users, and dropping additional payloads such as Infostealer.Logdatter. This new information stealer has the following capabilities:
- Connecting to and querying SQL databases
- Code injection
- Downloading files
- Stealing clipboards
This attack chain also used a variety of tools that have been seen in the past, such as QuasarRAT, Nirsoft Passview, and various PowerSploit scripts.
These attacks represent the ever-changing threat landscape that security researchers must navigate, with novel tools being developed at a higher rate than seen in the past. Because of this, attribution is not only more difficult, but detection is also more difficult as well. Rather than focusing detection efforts on particular strains of a malware, it is more beneficial to craft detections based on the TTPs that the malware uses. This changing landscape shows that it is beneficial to detect the “how”, rather than the “what”. For example, detecting a LSASS read or an execution with “http” in the command line rather than a specific IP or file hash.