On January 24, 2024, ITOCHU Cyber & Intelligence reported novel samples of the LODEINFO backdoor consistent with ongoing development of the malware, which has been attributed to APT10. The backdoor, attributed to China-nexus APT10, has been targeting Japanese entities with LODEINFO since at least 2021, employing a spear-phishing attack vector and utilizing malicious Word documents predominantly weaponized with Visual Basic Scripts.
The backdoor is actively updated, and recent features include:
Removal of checks for Japanese-language environments, suggesting a broader geographical targeting scope.
Recent implementations include template injection which enables the threat actor to retrieve and execute macros when the victim opens the malicious attachment.
The macro executes a shellcode which is ultimately responsible for loading the LODEINFO backdoor. In some cases, researchers observed the backdoor being loaded via a deceptive file masquerading as a Privacy-Enhanced Mail.
The infection chain culminates with the backdoor is loaded directly into memory.