Kaspersky researchers recently found evidence of an advanced threat group continuously updating its malware to evade security products, similar to a release cycle for developers.
Kaspersky revealed that APT10, also known as the Cicada hacking group, has successfully deployed the LODEINFO malware in government, media, public sector, and diplomatic organizations in Japan.
LODEINFO has been observed engaged in a spear-phishing campaign since December 2019 by JPCERT/CC. The sophisticated malware was hidden in malicious Word file attachments. So far, nothing unusual for a sophisticated threat actor, but JPCERT/CC concluded that LODEINFO was “under development,” as they found the version number “v0.1.2” during their investigation.
Kaspersky researchers have been tracking the malware since then, and they’ve discovered evidence revealing “high-confidence attribution to APT10.” They observed another spear-phishing campaign in March 2022.
The malicious Word documents contained fake security notices that invited the victims to “Enable Editing” and “Enable Content,” which executes malicious VBA code. Then, attackers were able to infect their targets and set command and control (C2) communications to exfiltrate confidential data.
Again, nothing really new for such attacks. The interesting part is that “the LODEINFO implants and loader modules were also continuously updated to evade security products and complicate manual analysis by security researchers.”
Also read: How Hackers Evade Detection
Can Security Tools Stop Evolving Threats?
The growing trend of jamming investigations is here to stay, and threat actors are now doing professional IT maintenance, with release cycles. Researchers even found an update that skips machines with the “en_US” locale:
In LODEINFO v0.6.2 and later versions, the shellcode has a new feature that looks for the “en_US” locale on the victim’s machine in a recursive function and halts execution if that locale is found.
Evading Windows built-in security systems such as Windows Defender is nothing new and many techniques have been disclosed by security researchers in public POCs (Proofs of Concept).
YouTube is full of detailed tutorials for achieving that, using simple file renaming (e.g., known binaries such as Mimikatz) or obfuscated sequences in PowerShell commands and Python scripts.
Clearly, companies and individuals should not rely exclusively on built-in security. However, the same also goes for antivirus software and other anti-malware solutions.
Of course, it does not mean you should not use those tools, but nothing replaces security awareness training, active monitoring, regular pentesting, and threat hunting. However, even advanced security products and good practices do not guarantee 100% safety, and it’s an endless struggle between attackers and defenders.
However, it would certainly be worse without security professionals, as you can’t fight something you can’t quantify. You need humans to operate these tools and analyze threats and IoCs (Indicators of Compromise). You also need platforms where you can share your knowledge and collaborate with other teams, which sometimes leads to catching APT groups.
Also read: Ransomware Group Uses Vulnerability to Bypass EDR Products
Defense in Depth
Complete security can’t be achieved, especially against global actors or state-sponsored groups. As long as you need employees, you will get spear-phishing campaigns and other social engineering attacks.
There’s also a thin line between security and employees’ privacy rights, but the real problem occurs when the system gets too permissive. Beyond automated scanners and detection tools, the least privilege principle can harden initial access and limit the risk of lateral movements.
Employees can be targeted for several reasons:
- bad practices and lack of security awareness
- bad security policies that push users towards predictable strategies (e.g., weak passwords or common patterns)
- too much permissions or unnecessary root accesses
- disappointment, conflicts with the management
If employees do not need macro-enabled documents, then disallow them (and notifications too) in your office productivity software. Group policies and templates can be used to achieve that globally. If it’s too complicated, cloud platforms usually provide such functionality and the granularity you need.
More generally, if an employee does not need administrator privileges to work, sysadmin should give them a proper role with less permissions. This is basic role management.
If employees are allowed to use “123456” for their password, it’s a major risk. If MFA or 2FA is available but not mandatory, that’s a significant risk too.
In a nutshell, the lack of security culture often shifts the responsibility to the end-users, which can result in painful breaches.
These recommendations might seem a bit paradoxical for such highly-evasive campaigns and skilled hackers who focus on evading malware analysis. However, cybercriminals usually exploit classic flaws to get initial access.
Likewise, post-exploitation may involve a mix of basic exploits and highly technical approaches, so defense in-depth is recommended. In the best-case scenario, the attack will simply fail, but if that’s not the case, you will slow their progression, at least.
See the Best EDR Solutions