-----

-----

### •

 •

 •

 •


-----

-----

##### •

 •

 •


###### 火車 (Kasha)

 https://en.wikipedia.org/wiki/Kasha_(folklore) #/media/File:SekienKasha.jpg


-----

###### •

 •


###### espionage + espionage
 cybercrime


###### 2019~


###### 2020~2021


-----

-----

###### •

 •


###### Observed in previous Campaign

 Observed in new Campaign


###### v0.2.7 v0.3.1 v0.3.2


###### v0.4.7 v0.4.8


###### v0.5.9


###### 9


###### 12 4 5 6 8 12 1 4 11 12 3 4 5 6 9 2020 2021 2022 2023


###### 3


###### v0.6.9 v0.7.1

 4 5


###### 10


###### v0.5.8


###### v0.3.4 v0.3.5 v0.3.6


###### v0.4.1


###### v0.6.5
 v0.6.2


###### v0.6.9


###### v0.7.3


###### v0.3.6


-----

###### •

 •



###### •

 • •

 •


-----

-----

-----

-----

-----

-----

-----

-----

###### https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf


-----

|Col1|Col2|Col3|Col4|
|---|---|---|---|
|||||
|||||
|||||
||||• • •|
||• • •|• • •|• • •|



###### •
 •
 •
 •
 •
 •
 •



###### • •
 •
 •


-----

-----

#### •

 •

 •


##### −


-----

#### •



###### •
 •

 •



###### •
 •



###### •
 •

 •


-----

#### •


-----

##### •

 •

 •


###### LODEINFOLDR Type 2 loading process

 DLL Side-Loading

 SfsDllSample.exe SfsDll32.dll


###### LODEINFOLDR Type 1 loading process

 DLL Side-Loading

 Elze.exe frau.dll


###### payload
 Run in- Elze.exe_ Run in-
 LODEINFO LODEINFO


-----

```
             add
0x28200
           0x2C438

```
```
0x4238

```
```
         Legitimate signature
          RC4 key (0x40)
         Encrypted payload

```

-----

##### •


-----

#### •



###### •
 •
 •
 •
 •



###### •
 •
 •
 •
 •



###### •
 •
 •
 •
 •



###### •
 •
 •
 •
 •



###### • • • •
 • • • •
 •


-----

###### 2[nd] stage LODEINFO’s backdoor
 command process routine


-----

##### •

 •


###### NOOPLDR


###### NOOPLDR


###### NOOPDOOR


-----

###### MSBuild task containing obfuscated C# to load NOOPDOOR


-----

#### •

 •


###### Control Flow obfuscation
 and junk codes


##### −

 −

 −

 −


-----

###### •

 •

 •


###### −

 −



###### •

 •

 •

 •

 •

 •

 •


###### NOOPDOOR is basically active backdoor
 but also supports passive backdoor

 C2 server

 TCP/443

 TCP/47000

 Client Server thread thread

 NOOPDOOR



###### •


-----

###### •

|action|example|
|---|---|
||2023/12/01 00:00:00 -> 0x365692200 -> 0x65692200|
||0x65692200 -> 0x650a3600|
||hxxp://$j[TEST].srmbr[.]com:443/#180|
||217826c36e994d097eadcf856fdcadb21372e5a0845e496dbb6015e1a8d42867|
||dd5b50e5e0405a221fc3c45f8d40ae37733f190b62e2b64e5de10cd190224453d90eaf…|
||3VtQ5eBAWiIfw8RfjUCuN3M/GQti4rZOXeEM0ZAiRFPZDq8hG4tUb0ce7kFR4zdmLx+xTZe2 Z0P…|
||3VtQ5eBAWiIfw8Rfj -> VtQeBAWiIfwRfj -> vtqebawiifwrfj|
||vtqebawiifwrfj -> vtqebawifwrfj|
||hxxp://vtqebawifwrfj[.]srmbr[.]com:443/|


###### hxxp://vtqebawifwrfj[.]srmbr[.]com:443/


-----

#### •

 •

 •

|Col1|NOOPDOOR|ANEL|
|---|---|---|
|timeline|2021~|2017~2019|
|arch|64bit|32bit|
|form|shellcode|shellcode (Loader) -> DLL|
|protocol|TCP|HTTP|


##### protocol TCP HTTP


-----

###### NOOPDOOR ANEL Loader


-----

#### •


###### ANEL Loader NOOPDOOR


-----

###### hosted encrypted LODEINFO components in 2023/04/25

 45.76.197[.]236

 resolve resolve

```
plouwvqlxy.myftp.org

```
```
kcimqstvpvsvjzr.hopto.org

```

###### connect connect at 2023/05/23


###### NOOPDOOR


###### LODEINFO


-----

-----

#### •

###### ✓ ✓ ✓


###### ✓ ✓

 ✓ ✓


###### ✓ ✓

 ✓


-----

#### •


###### ✓ ✓

 ✓ ✓


-----

##### •


#### Assumption

##### 1. Malware such as LODEINFO and NOOPDOOR might possibly be shared with other groups? 2. There might possibly be a team focusing on initial compromise (like access broker)?


##### 2. There might possibly be a team focusing on initial compromise (like access broker)?


-----

#### •


##### −

 −



###### •

 •


-----

###### •

 •

 •


###### −

 −

 −


-----

## Thank you


-----

# Appendix


-----

-----

-----

-----

-----

##### We will release a blog with Yara rule soon

```
rule Trojan_LODEINFOLDR_generic
{
  meta:
   Author = "Trend Micro"
   Created_Time = "2024-01-26"
  strings:
    $chunk_1 = {
       8A 02
       34 ??
       88 01
       8A 42 01
       34 ??
       88 41 01
       8A 42 02
       34 ??
       88 41 02
       8A 42 03
       34 ??
       88 41 03
       8A 42 04
       34 ??
       88 41 04
       8A 42 05
       34 ??
       88 41 05
       8A 42 06
       34 ??
       88 41 06
       8A 42 07
       34 ??
       88 41 07
       8B C1
       C6 41 08 00
   }
  condition:
    uint16(0) == 0x5A4D and
    all of them

```
```
rule Trojan_NOOPLDR_xml
{
  meta:
   Author = "Trend Micro"
   Created_Time = "2024-01-26"
  strings:
    $s1 = "<Code Type=\"Class\" Language=\"cs\"><![CDATA[using "
    $s2 = "Software\\\\Microsoft\\\\SQMClient"
    $s3 = ".GetValue(\"MachineId\").ToString()"
    $s4 = "SHA384.Create();"
    $s5 = "new byte[32];Array.Copy("
    $s6 = "new byte[16];Array.Copy("
  condition:
    all of them
}

```
```
rule Trojan_NOOPLDR_dll
{
  meta:
   Author = "Trend Micro"
   Created_Time = "2024-01-26"
  strings:
    $chunk_1 = {
       48 8D 05 ?? ?? ?? ??
       48 8D 0D ?? ?? ?? ??
       0F B6 0C 0E
       32 0C 06
       0F B6 D1
       48 8D 8D ?? ?? ?? ??
       E8 ?? ?? ?? ??
   }
    $chunk_2 = {
       3D ?? ?? ?? ??
       7E ??
       3D ?? ?? ?? ??
       7F ??
       3D ?? ?? ?? ??
       0F 84 ?? ?? ?? ??
       3D ?? ?? ?? ??
       75 ??
       B8 ?? ?? ?? ??
       EB ??
   }
  condition:
    uint16(0) == 0x5A4D and
    all of them
}

```
```
             }
             condition:
               uint16(0) == 0x5A4D and
               all of them

```

-----