A Chinese hacker was found to be exploiting a flaw in a known antivirus program to deliver malware to high-profile targets in Japan.
Kaspersky cybersecurity researchers recently discovered that Cicada, also known as APT10, was tricking employees at various organizations in Japan, from media companies to government agencies, into downloading a compromised version of the company's K7Security suite.
Those who fall for it end up receiving LODEINFO, a three-year-old malware capable of executing PE files and shellcode, downloading files, killing processes, and sending file lists, among other things.
Local loading of DLL files
Malware is distributed through a practice known as DLL sideloading. First, the victim must be directed to a fake K7Security Suite download page, where they will download the software. The installer itself would not be malicious, it would be the real antivirus solution. However, the same folder would also contain a malicious DLL named K7SysMn1.dll.
During a normal installation, the executable will look for a file called K7SysMn1.dll, which is normally not malicious. If it finds it in the same folder you are in, it will look no further and run that file instead.
Threat actors would then create a malicious file, containing the LODEINFO malware, and give it the filename K7SysMn1.dll. In other words, it is the antivirus program (opens in a new tab) that ends up loading the malware onto the target device. And since it is being loaded by a legitimate security application, it may not be detected as malicious by other security software.
Investigators were unable to determine how many organizations were victims of this attack or what the ultimate goal of the campaign is. However, given who the targets are, cyber espionage is the most obvious answer.
Local transfer of .DLL files is not a new approach. In August 2022, it was reported that Windows Defender was abused to download LockBit 3.0, an infamous ransomware variant.
Via: BleepingComputer (Opens in a new tab)