Saturday, June 20, 2020

Analysis of LODEINFO Maldoc

20 June 2020

The LODEINFO malware has been targeting different sectors within Japan since around 2019. Sectors targeted include media and defense organizations.

Whomever is behind LODEINFO is actively developing and upgrading versions of the malware at a rapid pace. On 11 June, JPCert released a Japanese language article highlighting a recent uptick in LODEINFO detection's identifying a new version with unused code for ransomware attacks.

Just eight days later, JPCert tweeted out an image of a recent LODEINFO maldoc that successfully encrypted documents.

The lure docs associated with LODEINFO use Japan government entities and pose as job applications to entice potential victims to open the file.

In this blog, I will show a few different tools that come in handy when analyzing malicious documents, extract malicious macros and provide analysis of the behavior of the document.
Lure Doc Distribution

File name: 外務省補助金で謳われていた.doc
MD5: bca533b3336240bc5cc68117408debdf
SHA256: 73470ea496126133fd025cfa9b3599bea9550abe2c8d065de11afb6f7aa6b5df

Figure 1: Word Doc Timestamp/Creator

The title of the document I will be analyzing is "外務省補助金で謳われていた.doc". The document title loosely translates as "Sent by the Ministry of Foreign Affairs".

Figure 2: Malicious Document

The highlighted text instructs the user to follow the prompt in the document bar, which would be the "Enable Macros" radio button.

The document purpots to be from a fellow government international relations researcher. The document states that the author knows the reader was previously involved with the "東大ビジョンセンタ", short for "Tokyo University Vision Center".

The document continues by name dropping organizations like the Asia Pacific Initiative (API) and Japanese researchers who specialize in US-China relations.

Figure 3: Maldoc contd.

The above is all very interesting and the malware author goes to great lengths to prove knowledge in the subjects discussed and familiarity with the researchers mentioned in the document. The names and dates of birth mentioned in the document are authentic, however the referenced API article on US-China relations could not be found.

Tools and Techniques

As with many malicious documents, this sample utilizes VBA macros once "Enable Content" is clicked to execute code and gain initial access onto a target.

If you are interested at all in malicious document analysis, you should be utilizing olevba and oledump by Didier Stevens. With a suspect word document claiming to be from the Ministry of Foreign Affairs, lets see if there are any interesting macros to be extracted.

Figure 4: Macro Dump

From the above output, there are two streams that catch our eyes and will require some further investigation.  Before we start digging into macros, the oledump output contained some interesting output in the beginning of the script.

Figure 5: Base64 blob

This humongous blob of data is base64 encoded and will reappear in just a few. For now, let's take a look at what VBA code can be extracted.

For information on how this latest version of LODEINFO is executed, please refer to the JPCert articles listed at the end of this blog post.

Figure 6: VBA Output

You may notice the while loop and replace functions in the code. This sample of LODEINFO drops and starts a benign windows executable, a text file, and a DLL file. The text file dropped to TEMP is named "KHKERL". If that looks familiar in the above output, stay with me, it gets better.

The txt file is opened and iterated over the document while var CGVDG is <= 38. A number of replace and if statements are executed until the loop exits, in which additional replace functions are executed. 

The text in Figure 4 flew by in the command prompt and may be a bit much on the eyes. Looking deeper in the document, the VBA code replace functions containing "KFMSQ" and "INUDE" only appear in the top half of the file.

Figure 7: Base64 Blob Interesting Strings

In between the two replace strings, are a number of interesting indicators. I was able to extract the following strings:

"TEMP", "sfsdll32.dll", "SfsDllSample.exe", "MSXML2.Document", "WScript.Shell", "Bin.Base64", and a possible file path or URL of "\TRJ\".

Unfortunately in the sample I am analyzing, only one connection was made to the C2, limiting full analysis of the DLL file.

The VBA code in Figure 5 continues on to get the TEMP environment path, creates a directory, execute additional replace functions, and converts the blob to Unicode. I was only able to identify this through dynamic analysis, but the final base64 encoded data begins with a suspicious string.

Figure 8: Result of B64 Decoding

The first few characters, "TVqQA" may be familiar to you. This signifies that what we are looking at is a Windows executable. With the benign executable already being dropped by the Word document, this executable is certainly the malicious DLL LODEINFO is known for using to sideload.

Host and Network Indicators

Figure 9

Once executed, the "benign" document titled SfsDllSample.exe connects to hxxp://103.27.184[.]27/.

LODEINFO performs discovery by checking the Windows version (cmd.exe /c ver), obtains current running tasks (tasklist /v) and performs network discovery (net view).

The malicious DLL which accomplishes most of the heavy lifting in this sample poses as Bitvise SSH Server Sfs Dll.  The debug timestamp for the DLL is listed as 25 May 2020

The data is encoded and sent to the C2 by an HTTP POST request. At the time of writing, the C2 was no longer active, preventing any interaction with the server.

LODEINFO utilizes a hardcoded User Agent of: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363 .

Figure 10: Network Metadata

SIGMA rules or any detection tools of your choice detecting on winword.exe dropping an executable, Word spawning an executable in a suspicious directory, or a suspicious parent image executing net.exe should assist in stopping this document.

Snort rules for the C2 check-in traffic have already been released. Detecting the C2 check-in will be difficult as the malware authors also changed the check-in message from the last documented research article.

I have not identified any concrete leads on the creator name under the Word document. These names can easily be changed to send analysts down never ending rabbit holes. Furthermore, attribution is out of scope for this article.

Domain/IP reputation lookups as well as detecting network connections without a DNS lookup may also assist in identifying LODEINFO.

There are many ways this analysis could have been conducted, however this was just what I find to be somewhat quick and thorough. LODEINFO is an interesting malware targeting specific entities in Japan whose authors are quickly reacting to security research. Other functions of the malware include keylogging which would be assumed when targeting media and defense organizations.

What throws me for a loop is the now confirmed addition of ransomware. The addition of ransomware to LODEINFO negates any attempts of staying undetected or extracting data, and taunts the victim. It will be interesting to see what further lures come out and how LODEINFO's authors continue to adapt.

**Update 22 June 2020**

Thanks to keen eyed Twitter user, @Account4Kazu, the first sightings of LODEINFO were in 2019, not 2018.  Thanks again for reading!

Further Reading: (PDF is in Japanese, English language version not yet released)

JPCert's Log Analysis Training

6 Aug 2020 About a week or so ago, JPCert released their Log Analysis training slides and corresponding CSV files for each hands-on exercise...