APT10 (a.k.a. menuPass, Stone Panda, Potassium, Cicada, or Red Apollo) has been identified in an attack on Japanese organizations that are high priority targets for espionage campaigns. APT10 has been constantly iterating on their custom backdoor malware LODEINFO, optimizing and increasing evasion tactics to go undetected.
Starting in March 2022, APT10 shifted their infection vector of choice to include a self-extracting RAR file delivered by custom crafted spear-phishing attacks that ultimately result in the installation of K7SecuritySuite antivirus. This antivirus software contains a flaw that allows a threat actor to employ a technique known as DLL side-loading to load their own malicious DLL file that will be executed when the antivirus software is launched. Because legitimate antivirus software looks malicious by nature, often needing to operate at the kernel level, other security software may not detect actual malicious activity associated with K7SecuritySuite.
In June 2022, Kaspersky discovered another variant of custom tools used by APT10. In this instance, instead of using DLL side-loading and self-extracting RAR files, the threat group uses file-less malware downloaded as the result of a malicious Microsoft Office document embedded with VBA macros being opened by a user. In the latest version of the LODEINFO, the number of commands available to the malware operators was reduced, possibly to create a leaner payload. The functions available in the latest version are as follows:
- Show embedded backdoor command list
- Download a file from C2
- Upload a file to C2
- Inject the shellcode into memory
- Kill a process using a process ID
- Change directory
- Send malware and system information
- Take a screenshot
- Encrypt files by a generated AES key
- Execute a command using WM I
- Config (incomplete implementation)