LODEINFO Since 2023

In the new campaign starting in early 2023, Earth Kasha expanded their targets into Japan, Taiwan, and India. Based on the bias of the incident amount, while we believe that Japan is still the main target of Earth Kasha, we observed that a few high-profile organizations in Taiwan and India were targeted. The observed industries under attack are organizations related to advanced technology and government agencies.

Earth Kasha has also employed different Tactics, Techniques, and Procedures (TTPs) in the Initial Access phase, which now exploits public-facing applications such as SSL-VPN and file storage services. We observed that vulnerabilities of enterprise products, such as Array AG (CVE-2023-28461), Proself (CVE-2023-45727) and FortiOS/FortiProxy (CVE-2023-27997), were abused in the wild. Earth Kasha was changing these vulnerabilities to abuse from time to time. After gaining access, they deployed several backdoors in the victim’s network to achieve persistence. These include Cobalt Strike, LODEINFO, and the newly discovered NOOPDOOR, which we will describe later.

Observed TTPs in Post-Exploitation

Our comprehensive analysis of the activities in the Post-Exploitation phase has revealed that the primary motivation behind the attack was the theft of the victim’s information and data. Earth Kasha first discovered Active Directory configuration and domain user information to achieve this goal using legitimate Microsoft tools, such as csvde.exe, nltest.exe and quser.exe. The following are actual commands used by the adversary.

  • csvde.exe  -f all.csv –u
  • nltest.exe  /domain_trusts
  •  quser.exe 

They then accessed the file server and tried to find documents related to the system information of the customer’s network by simply using “dir” commands recursively. Interestingly, upon checking on their activity, the operator might check the content of the documents manually. The stolen information may help the adversary find the next valuable target.

Earth Kasha then performs several techniques to acquire credentials. One method uses their custom malware, MirrorStealer, to dump stored credentials in applications. MirrorStealer (originally reported by ESET) is a credential dumper targeting multiple applications such as browsers (Chrome, Firefox, Edge and Internet Explorer), email clients (Outlook, Thunderbird, Becky, and Live Mail), Group Policy Preferences and SQL Server Management Studio.

Since MirrorStealer may be designed to dump credentials on client machines, Earth Kasha used another way to dump OS credentials. We observed that the adversary abused vssadmin to copy registry hives and ntds.dit in the Active Directory server from volume shadow copy. The SAM registry hive contains the NTLM hash of local machine users, while ntds.dit contains the NTLM hash of all the domain users. The following are commands the adversary uses after creating a volume shadow copy.

  • copy  \<AD_SERVER_IP>c$windowstempntds.dit .
  • copy  \<AD_SERVER_IP>c$windowstempsystem .
  • copy  \<AD_SERVER_IP>c$windowstempsam .

While we couldn’t figure out the actual method they abused, we have observed that Earth Kasha successfully compromised domain admin in most cases. After compromising domain admin, they deployed backdoors (LODEINFO or NOOPDOOR) to several machines by copying components over SMB and abusing schetasks.exe or sc.exe to achieve lateral movement. The following are the adversary’s actual commands to deploy malicious components over admin shares.

  • copy SfsDllSample.exe \<IP>c$windowstempSfsDllSample.exe 
  • copy SfsDll32.dll     \<IP>c$windowstempSfsDll32.dll
  • copy mssitlb.xml  \<IP>C$Windowssystem32UIAnimation.xml
  • copy ShiftJIS.dat \<IP>C$Windowssystem32ComputerToastIcon.contrast-white.dat

Once the intrusion progressed, Earth Kasha started to exfiltrate the stolen information. The adversary gathered data, including ntds.dit, SYSTEM, SAM registry hives and other interesting files on a single victim machine and compressed these files into a single archive using the makecab command. While we couldn’t confirm how these data would be exfiltrated, it might be over the backdoor channel. Earth Kasha also exfiltrated interesting files in the victim network over the RDP session. They copied interesting files to the RDP source host over SMB (“tsclient” is an RDP source host).

  • \tsclientCaaaAll PC List.xlsx
  • \tsclientCaaaAll IP List.xlsx
  • \tsclientCaaaNetwork Diagram.xlsx

Malware Analysis

In the previous campaign by Earth Kasha, LODEINFO has been their primary backdoor of choice. In the new campaign, however, we have observed several backdoors, such as Cobalt Strike, LODEINFO and previously undocumented NOOPDOOR. These backdoors were selectively used for each incident.

Leave a Reply

Your email address will not be published. Required fields are marked *