Security researchers at Symantec have detected a new information stealer named Infostealer.Logdatter. Actors have used this stealer in attacks targeting Asian governments and public entities in Asia such as aerospace and defense firms, telecommunications companies, and IT organizations. This campaign has been occurring since at least early 2021 and is ongoing. While researchers believe this may be tied to the Chinese APT41 and Mustang Panda threat actors based on similar tactics, techniques, and procedures (TTPs), this could not be confirmed for certain.
In an incident from April 2022 that was detailed by Symantec researchers, the attack began with a malicious DLL that established backdoor access. This DLL was sideloaded using the Bitdefender Crash Handler to load a .dat file. Over the course of the next month, the actors performed a variety of different actions such as downloading ProcDump to steal LSASS data, using the LadonGo penetration testing framework for network reconnaissance, attempting exploits, creating additional users, and dropping additional payloads such as Infostealer.Logdatter. This new information stealer has the following capabilities:
- Keylogging
- Screenshots
- Connecting to and querying SQL databases
- Code injection
- Downloading files
- Stealing clipboards
This attack chain also used a variety of tools that have been seen in the past, such as QuasarRAT, Nirsoft Passview, and various PowerSploit scripts.