Further Updates in LODEINFO Malware - JPCERT/CC Eyes
By 喜野 孝太(Kota Kino)
Published: 2021-02-17 · Archived: 2026-04-05 23:06:55 UTC
February 18, 2021
LODEINFO
The functions and evolution of malware LODEINFO have been described in our past articles in February 2020
and June 2020. Yet in 2021, JPCERT/CC continues to observe activities related to this malware. Its functions have
been expanding with some new commands implemented or actually used in attacks. This article introduces the
details of the updated functions and recent attack trends.
LODEINFO versions
At the time of the last blog update, the latest version of LODEINFO was v.0.3.6, and currently v0.4.8 is being
used. Figure 1 shows the transition of LODEINFO versions based on JPCERT/CC’s observation.
Figure 1：LODEINFO versions
Decoy document
As we previously explained, LODEINFO infection spreads once a user enables the macro in a Word or Excel file
attached to a spear phishing email. In some recent cases, these document files are protected with a password,
which is specified in the email body. The Word document convinces the user to enable the macro as in Figure 2.
(The statement in the yellow box is roughly translated as follows: In case Word application cannot open the
https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html
Page 1 of 9

document properly, you may be able to open it with Word premium mode. To proceed, please click the button in
the yellow message bar above.)
Figure 2： Word document content sample
The document appears to be empty, however, there are hidden letters in small and white fonts, containing macro
configuration values and BASE64-encoded strings of a zip file which stores LODEINFO.
https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html
Page 2 of 9

Figure 3： Word document contents sample (after changing the font)
The macro uses a method called LOLBAS to execute LODEINFO. Below is the command for executing a file
created.
rundll32.exe advpack.dll,RegisterOCX
Figure 4： Process after enabling macro
The code of the macro contained in the documents shows sentences in public articles related to the diplomatic
relations between South Korea and Japan or North Korea in the comments.
Figure 5： Comments in the macro
New commands
https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html
Page 3 of 9

The latest LODEINFO v0.4.8 has the following additional commands compared to v.0.3.6. (See Appendix A for
details.)
ransom (implemented)
keylog (implemented)
mv
cp
mkdir
ps
pkill
The following sections describe some of the new features that are available in the newer versions.
Ransomware function
“ransom” command has been implemented in v.0.3.8 and after. The encryption algorithm is a combination of AES
and RSA. The files are first encrypted with an AES key generated for each fille. The key is then encrypted with
the RSA public key embedded in the malware. After that, the message “WOW! THIS FILE HAS BEEN
ENCRYPTED...” is inserted in the beginning of the file.
Figure 6： Structure of the encrypted file
This process makes it difficult to decrypt the files. Files and folders to encrypt can be specified with the ransom
command, however, those with file extensions and paths in Figure 7 are excluded.
https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html
Page 4 of 9

Figure 7： Files excluded from encryption
In case a folder is selected, its path name is checked against the list, but not the individual files inside the folder.
Therefore, files including these names listed above are encrypted in this case. Unlike other types of common
ransomware, alteration of file extension, creation of ransom notes and/or change of background image do not
occur. JPCERT/CC has not yet observed these features in actual attack cases, but they may be used for the purpose
of deleting evidence or exfiltrating data.
Keylog function
“keylog” command has been implemented in v.0.4.6 and after. This command checks the following registry value
to see if the option is enabled.
Figure 8： Keylog checks if it is enabled
If it is enabled, a file named “<NetBIOS name>.tmp” is created in %TEMP% folder, and stolen key strings are
encoded and stored there. An XOR key is used for encoding, which contains the first 1 byte of the SHA512 value
of the device’s NetBIOS name. The following is an example of code to decode the keylog file.
import os
import hashlib
name = os.getenv("COMPUTERNAME")
keylog_file = os.getenv("TEMP") + "//" + name + ".tmp"
hash_of_name = hashlib.sha512(name.encode("UTF-8")).hexdigest()
xor_key = int(hash_of_name[0:2], 16)
decode_data = bytes()
with open(keylog_file, "rb") as f:
 for ch in f.read():
 decode_data += (ch ^ xor_key).to_bytes(1, byteorder="big", signed=False)
https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html
Page 5 of 9

print(decode_data.decode('shift_jis'))
One of the distinctive features of this function is that it checks if the device’s keyboard layout is set to Japanese
according to the following criteria:
“OverrideKeyboardIdentifier” value in HKLM\SYSTEM\CurrentControlSet\Service\i8042prt\Parameters
is set to “PCAT_106KEY”
“GetKeyboardLayout” function returns “1041”
If the device uses the Japanese keyboard layout, the key strings are converted accordingly. This fact implies that
the attackers using LODEINFO malware target Japanese language users.
Figure 9： Checking keyboard layout
In closing
Attacks using LODEINFO has been continuously observed, and it is considered as a severe threat. We will keep
an eye on this activity as it is yet likely to continue.
The hash value of the sample described in the article is listed in Appendix B, together with some newly confirmed
C&C servers in Appendix C. Please make sure that none of your devices is communicating with such hosts.
- Kota Kino
(Translated by Yukako Uchida)
Reference
Appendix A New commands
Value Contents
ransom Encrypt files
keylog Control keylogger
mv Move files
cp Copy files
https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html
Page 6 of 9

Value Contents
mkdir Create directory
ps List process
pkill Kill process
Appendix B SHA-256 has value of a sample
3fda6fd600b4892bda1d28c1835811a139615db41c99a37747954dcccaebff6e （v0.4.6）
Appendix C C&C servers
www.evonzae.com
45.76.216.40
103.140.45.71
139.180.192.19
167.179.84.162
167.179.65.11
喜野 孝太(Kota Kino)
Kota Kino is Malware/Forensic Analyst at Incident Response Group, JPCERT/CC since August 2019.
Related articles
https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html
Page 7 of 9

Update on Attacks by Threat Group APT-C-60
CrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks
https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html
Page 8 of 9

Malware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities
DslogdRAT Malware Installed in Ivanti Connect Secure
Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup
Source: https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html
https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html
Page 9 of 9

  https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html 
Update on Attacks by Threat Group APT-C-60 
CrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks
  Page 8 of 9