Criminals hijacking your antivirus to send malware into devices

A well-known antivirus program has a bug that a recognized Chinese threat actor has been leveraging to spread malware to prominent targets in Japan. Kaspersky's cybersecurity analysts recently discovered Cicada, also known as APT10, luring employees at many of Japanese companies, including media companies and government institutions, into downloading a tainted version of the firm's K7Security Suite. Those who fall for the ruse end up with LODEINFO, a three-year-old piece of malware that can, among other things, execute PE files and shellcode, upload and download files, end processes, and send out file listings. [caption id="attachment_58003" align="aligncenter" width="1200"] image credit: How-To-Geek[/caption]

sideloading DLL

The practice of DLL sideloading is used to spread the infection. To download the malicious software, the victim must first be directed to a bogus K7Security Suite download page. Since it would be the real antivirus program, the installation application wouldn't be harmful in and of itself. However, the K7SysMn1.dll malicious DLL would also be present in the same folder. The program will search for a file called K7SysMn1.dll, which is often not harmful, during routine installation. It won't look any farther and will instead run that file if it is found in the same folder where it now resides. The threat actors would then generate a malicious file with the K7SysMn1.dll filename that included the LODEINFO virus. In other words, the antivirus (opens in new tab) software is ultimately responsible for installing the malware on the intended endpoint. Additionally, other security software might not identify it as malicious given that it loads from a respectable security application. The researchers were unable to identify how many businesses were affected by this attack or what the campaign's ultimate aim was. However, cyber espionage is the most obvious solution given the objectives.