The LODEINFO malware is a new threat that was spotted in a campaign targeting Japanese companies recently. The targets would receive a well-crafted phishing email, which is how the LODEINFO threat is being distributed. The emails in question would vary topic-wise. However, all of the emails that were used for the propagation of the LODEINFO threat contained a corrupted document attachment. The recipient would be asked to review the seemingly harmless document. However, upon launching it, the hidden macro-scripts within it would be executed, and the LODEINFO malware would compromise the user’s system.
The LODEINFO threat appears to operate as a regular backdoor Trojan. Once the LODEINFO malware is installed on the targeted host successfully, it will gain persistence by tampering with the Windows Registry service. The LODEINFO Trojan also would establish a connection with its operators’ C&C (Command & Control) server. Next, the LODEINFO threat would provide the attackers with information regarding the default language, as well as the host's hardware and software. After completing this, the LODEINFO Trojan would wait for more commands from its operators. The LODEINFO malware is capable of:
- Downloading files from the host.
- Uploading files from the C&C server.
- Planting additional malware on the host.
- Executing remote commands.
- Managing active processes.
- Running executable files.
Despite the fact that the LODEINFO threat is not very feature-rich, it is a high-end threat that appears to be the product of a threat actor that is highly experienced in the field of cybercrime.