An infamous Chinese threat actor was discovered exploiting a vulnerability within a known object AntivirusA program to deliver malware to high-profile Japanese targets.
Kaspersky cybersecurity researchers recently discovered Cicadas, also known as APT10Tricking Japanese employees into downloading hacked copies from the K7Security Suite to various companies and government agencies.
Those who fall for this trick end up with LODEINFO, a 3-year-old. MalwareCapable of executing shellcode and PE files, uploading or downloading files, killing processes, and sending file list messages, among other things.
DLL file download
DLL Sideloading is a technique that allows malware to be distributed. First, the victim needs to be directed to a fake K7Security Suite page where they can download the malware. The executable is not harmful and will install the actual antivirus solution. However, a malicious DLL named K7SysMn1.dll may be found in the same folder.
The executable will normally look for K7SysMn1.dll in a normal install. It is usually not malicious. If it finds it in the same directory, it will stop looking for it and run that file instead.
The attackers then create a malware file containing the malicious LODEINFO programme and give it K7SysMn1.dll. It is a file. Antivirus(Opens in new tab)Program that installs malware on the target device. Other security software might not be able to detect it as malicious, even though it is loaded by a legitimate security app.
Researchers were unable to determine the number of organizations that fell for this attack or the ultimate goal of the campaign. Cyber espionage seems the most obvious answer given the target list.
Sideloading.DLL file is not a new technique. It was reported that Windows Defender was being used to sideload LockBit 3.0 ransomware, which was infamously distributed in August 2022.
Across: Computer(Opens in new tab)
Source link
[Denial of responsibility! reporterbyte.com is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – reporterbyte.com The content will be deleted within 24 hours.]
