Criminals hijack antivirus software to deliver malware
A known Chinese threat actor has been found abusing a flaw in a well-known antivirus program to deliver malware to high-profile targets in Japan.
Cybersecurity researchers at Kaspersky recently spotted Cicada, also known as APT10, tricking employees at various organizations in Japan – from media firms to government agencies – into downloading a compromised version of the company’s K7Security Suite.
Those that fall for the trick end up getting LODEINFO, a three-year-old malware that’s capable of executing PE files and shellcode, uploading and downloading files, killing processes, and sending out file lists, among other things.
The malware is being distributed through a practice known as DLL sideloading. First, the victim needs to be led to a fake K7Security Suite download page, where they’d download the software. The installation executable itself wouldn’t be malicious – it would be the actual antivirus solution. However, the same folder would also carry a malicious DLL named K7SysMn1.dll.
During regular installation, the executable will look for a file named K7SysMn1.dll, which is usually not malicious. If it finds it in the same folder where it sits, it won’t look any further and will run that file, instead.
> One of the most beloved Windows tools could actually be a huge security risk
> Windows Defender hacked to deploy this dangerous ransomware
> Here’s a rundown of the best endpoint protection services right now
The threat actors would then create a malicious file, containing the LODEINFO malware, and give it the K7SysMn1.dll filename. In other words, it’s the antivirus program that ends up loading the malware onto the target endpoint. And given that a legitimate security application loads it, other security software might not detect it as malicious.
The researchers were not able to determine how many organizations fell prey to this attack, or what the end goal of the campaign is. Given who the targets are, cyber espionage is the most obvious answer, though.
Side-loading .DLL files is no novel approach. In August 2022, it was reported that Windows Defender was abused to side-load LockBit 3.0, an infamous ransomware variant.
- Check out the best firewalls out there