Security News > 2024 > July > Chinese Hackers Target Japanese Firms with LODEINFO and NOOPDOOR Malware

Japanese organizations are the target of a Chinese nation-state threat actor that leverages malware families like LODEINFO and NOOPDOOR to harvest sensitive information from compromised hosts while stealthily remaining under the radar in some cases for a time period ranging from two to three years.

"The actors behind NOOPDOOR not only utilized LODEINFO during the campaign, but also utilized the new backdoor to exfiltrate data from compromised enterprise networks," it said.

The findings come weeks after JPCERT/CC warned of cyber attacks mounted by the threat actor targeting Japanese entities using the two malware strains.

While Earth Tengshe is linked to campaigns distributing SigLoader and SodaMaster, Earth Kasha is attributed to the exclusive use of LODEINFO and NOOPDOOR. Both the sub-groups have been observed targeting public-facing applications with the aim of exfiltrating data and information in the network.

On the other hand, Earth Kasha has been found to switch up its initial access methods by exploiting public-facing applications since April 2023, taking advantage of unpatched flaws in Array AG, Fortinet, and Proself instances to distribute LODEINFO and NOOPDOOR. LODEINFO comes packed with several commands to execute arbitrary shellcode, log keystrokes, take screenshots, terminate processes, and exfiltrate files back to an actor-controlled server.

"LODEINFO appears to be used as a primary backdoor and NOOPDOOR acts as a secondary backdoor, keeping persistence within the compromised corporate network for more than two years," Cybereason said.

News URL

https://thehackernews.com/2024/07/chinese-hackers-target-japanese-firms.html