A well-known Chinese threat actor has been found abusing a vulnerability in a known object Antivirus A program for delivering malware to high-profile targets in Japan.
Kaspersky cybersecurity researchers recently discovered Cicadas, also known as APT10tricking employees at various organizations in Japan – from media companies to government agencies – into downloading a hacked copy of the company’s K7Security Suite.
Those who fall for the stunt end up getting LODEINFO, a three-year-old Malware Capable of executing PE files and shellcode, uploading and downloading files, killing processes, sending file lists, among other things.
DLL file download
Malware is distributed through a practice known as DLL sideloading. First, the victim should be directed to a fake K7Security Suite download page, where they can download the software. The installation of the executable itself will not be harmful – it will be the current antivirus solution. However, the same folder may also hold a malicious DLL called K7SysMn1.dll.
During a normal installation, the executable will look for a file called K7SysMn1.dll, which is usually not malicious. If it finds it in the same folder it’s in, it won’t look for any more and will run that file instead.
The attackers then create a malicious file, containing the LODEINFO malware, and give it the file name K7SysMn1.dll. In other words, it’s a file Antivirus (Opens in a new tab) Program that ends up loading malware on the target endpoint. And since a legitimate security app loads it, other security software might not detect it as malicious.
The researchers were unable to determine how many organizations fell prey to this attack, or the campaign’s ultimate goal. Given who the targets are, cyber espionage is the most obvious answer.
Sideloading .DLL files is not a new approach. In August 2022, it was reported that Windows Defender was being abused to sideload LockBit 3.0, one of the infamous types of ransomware.
Across: Computer (Opens in a new tab)