Spear-phishing attacks deployed by Chinese state-sponsored threat operation APT10 also known as Stone Panda, Cicada, Bronze Riverside, Potassium, Earth Tengshe, and MirrorFace involved the distribution of continuously updated iterations of the LODEINFO fileless backdoor, first identified in November 2022, The Hacker News reports.
Initially reported to have arbitrary shellcode execution, screenshot capturing, and file exfiltration capabilities, the LODEINFO malware was updated in June 2023 to include Microsoft Office language settings checks that were later removed in an iteration released the following month, according to a report from ITOCHU Cyber & Intelligence. Such malware, LODEINFO version 0.7.1, not only had an English maldoc filename instead of Japanese, suggesting expanded targeting, but also a novel stage involving the retrieval of a Privacy-Enhanced email-masquerading file for in-memory malware loading. Additional commands have also been added by APT10 to the latest LODEINFO version 0.7.3 malware.
"As a countermeasure, since both the downloader shellcode and the backdoor shellcode of LODEINFO are fileless malware, it is essential to introduce a product that can scan and detect malware in memory in order to detect it," said researchers.
Malicious updates have been recently issued to the Python Package Index package "django-log-tracker," which was last modified in April 2022, to facilitate the distribution of the Nova Sentinel information-stealing malware, The Hacker News reports.