LODEINFO (Malware Family)

LODEINFO

There is no description at this point.

References

2022-12-14 ⋅ ESET Research ⋅ Dominik Breitenbacher
Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities
LODEINFO

2022-10-31 ⋅ Kaspersky Labs ⋅ Suguru Ishimaru
APT10: Tracking down LODEINFO 2022, part II
LODEINFO

2022-10-31 ⋅ Kaspersky Labs ⋅ Suguru Ishimaru
APT10: Tracking down LODEINFO 2022, part I
LODEINFO

2021-02-18 ⋅ JPCERT/CC ⋅ Kota Kino
Further Updates in LODEINFO Malware
LODEINFO

2021-01-19 ⋅ Twitter (@jpcert_ac) ⋅ JPCERT/CC
Tweet on LODEINFO ver 0.47 spotted ITW targeting Japan
LODEINFO

2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti

2020-06-20 ⋅ Cyber And Ramen blog ⋅ msec1203
Analysis of LODEINFO Maldoc
LODEINFO

2020-06-11 ⋅ JPCERT/CC ⋅ Kota Kino
マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)
LODEINFO

2020-05-01 ⋅ Macnica Networks ⋅ TeamT5, Macnica Networks
Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019
TSCookie LODEINFO

2020-02-27 ⋅ JPCERT/CC ⋅ Kota Kino
Malware “LODEINFO” Targeting Japan
LODEINFO

2020-02-20 ⋅ JPCERT/CC ⋅ Kota Kino
日本国内の組織を狙ったマルウエアLODEINFO
LODEINFO

Yara Rules

[TLP:WHITE] win_lodeinfo_auto (20230125 | Detects win.lodeinfo.)

rule win_lodeinfo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.lodeinfo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 730b 8b5df4 8914b3 8b5de4 eb02 8910 8b5508 }
            // n = 7, score = 200
            //   730b                 | jae                 0xd
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]
            //   8914b3               | mov                 dword ptr [ebx + esi*4], edx
            //   8b5de4               | mov                 ebx, dword ptr [ebp - 0x1c]
            //   eb02                 | jmp                 4
            //   8910                 | mov                 dword ptr [eax], edx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_1 = { 50 e8???????? 83c404 837e5c00 0f84e4000000 ff7660 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   837e5c00             | cmp                 dword ptr [esi + 0x5c], 0
            //   0f84e4000000         | je                  0xea
            //   ff7660               | push                dword ptr [esi + 0x60]

        $sequence_2 = { 39560c 7433 6690 8b4e08 8d7f03 0fb647fd }
            // n = 6, score = 200
            //   39560c               | cmp                 dword ptr [esi + 0xc], edx
            //   7433                 | je                  0x35
            //   6690                 | nop                 
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   8d7f03               | lea                 edi, [edi + 3]
            //   0fb647fd             | movzx               eax, byte ptr [edi - 3]

        $sequence_3 = { 53 8bd7 8bce e8???????? 83c408 eb78 83f802 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   8bd7                 | mov                 edx, edi
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   eb78                 | jmp                 0x7a
            //   83f802               | cmp                 eax, 2

        $sequence_4 = { 8983c4000000 85c0 7412 ff75f4 8b55f0 8bc8 e8???????? }
            // n = 7, score = 200
            //   8983c4000000         | mov                 dword ptr [ebx + 0xc4], eax
            //   85c0                 | test                eax, eax
            //   7412                 | je                  0x14
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     

        $sequence_5 = { 8b7d0c 807c330200 8a443301 8845eb 740a be48000000 e9???????? }
            // n = 7, score = 200
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   807c330200           | cmp                 byte ptr [ebx + esi + 2], 0
            //   8a443301             | mov                 al, byte ptr [ebx + esi + 1]
            //   8845eb               | mov                 byte ptr [ebp - 0x15], al
            //   740a                 | je                  0xc
            //   be48000000           | mov                 esi, 0x48
            //   e9????????           |                     

        $sequence_6 = { 85d2 0f847efcffff 33c9 0f1f440000 8b45f0 8b0401 89040a }
            // n = 7, score = 200
            //   85d2                 | test                edx, edx
            //   0f847efcffff         | je                  0xfffffc84
            //   33c9                 | xor                 ecx, ecx
            //   0f1f440000           | nop                 dword ptr [eax + eax]
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8b0401               | mov                 eax, dword ptr [ecx + eax]
            //   89040a               | mov                 dword ptr [edx + ecx], eax

        $sequence_7 = { 7417 8b4608 8b4f08 8a0402 88040a 42 8b460c }
            // n = 7, score = 200
            //   7417                 | je                  0x19
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   8b4f08               | mov                 ecx, dword ptr [edi + 8]
            //   8a0402               | mov                 al, byte ptr [edx + eax]
            //   88040a               | mov                 byte ptr [edx + ecx], al
            //   42                   | inc                 edx
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]

        $sequence_8 = { 2bc6 3bf8 0f8758010000 2b13 8d043e 8bf2 }
            // n = 6, score = 200
            //   2bc6                 | sub                 eax, esi
            //   3bf8                 | cmp                 edi, eax
            //   0f8758010000         | ja                  0x15e
            //   2b13                 | sub                 edx, dword ptr [ebx]
            //   8d043e               | lea                 eax, [esi + edi]
            //   8bf2                 | mov                 esi, edx

        $sequence_9 = { 8d1490 8bcf e8???????? 8b4df4 83c703 8b450c 83c404 }
            // n = 7, score = 200
            //   8d1490               | lea                 edx, [eax + edx*4]
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   83c703               | add                 edi, 3
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   83c404               | add                 esp, 4

    condition:
        7 of them and filesize < 712704
}

Download all Yara Rules

LODEINFO Propose Change

References

Yara Rules

LODEINFO