A well-known Chinese threat actor has been found to exploit a flaw in a well-known antivirus program to deliver malware to high-profile targets in Japan.
Cybersecurity researchers at Kaspersky recently spotted Cicada, also known as APT10, tricking employees of various organizations in Japan — from media companies to government agencies — into downloading a compromised version of the company’s K7Security Suite.
Those who fall for the trick eventually get LODEINFO, a three-year-old malware that can execute PE files and shell code, upload and download files, kill processes, and send file lists, among other things.
The malware is distributed through a practice known as DLL sideloading. First, the victim should be directed to a fake K7Security Suite download page, where they would download the software. The installation executable itself would not be malicious – it would be the actual antivirus solution. However, the same folder would also contain a malicious DLL called K7SysMn1.dll.
During normal installation, the executable looks for a file called K7SysMn1.dll, which is usually not malicious. If it finds it in the same directory where it is located, it will look no further and instead run that file.
The threat actors would then create a malicious file containing the LODEINFO malware and name it K7SysMn1.dll. In other words, it’s the antivirus (opens in new tab) program that eventually loads the malware on the target endpoint. And since a legitimate security application loads it, it may not be detected as malicious by other security software.
The researchers were unable to determine how many organizations fell prey to this attack, or what the end goal of the campaign is. However, given who the targets are, cyber espionage is the most obvious answer.
Side-loading .DLL files is not a new approach. In August 2022, it was reported that Windows Defender was being exploited to sideload LockBit 3.0, a notorious ransomware variant.
Via: BleepingComputer (opens in new tab)