Spot the Difference: New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella

SUMMARY :

Earth Kasha, a threat group targeting Japan since 2019, has launched a new campaign with significant updates to their tactics and arsenals. The group has expanded its targets to include Taiwan and India, focusing on advanced technology organizations and government agencies. They now exploit public-facing applications like SSL-VPN and file storage services for initial access, using vulnerabilities in products such as Array AG, Proself, and FortiOS/FortiProxy. Earth Kasha deploys multiple backdoors including Cobalt Strike, LODEINFO, and the newly discovered NOOPDOOR. Their post-exploitation activities involve information theft, credential acquisition, and lateral movement. The group utilizes custom malware like MirrorStealer for credential dumping and employs sophisticated techniques to evade detection. While similarities exist with other China-nexus actors, Earth Kasha maintains distinct characteristics in its operations.

OPENCTI LABELS :

apt,lodeinfo,backdoor,cobalt strike,credential theft,mirrorstealer,noopdoor,cve-2023-27997,china-nexus,cve-2023-45727,cve-2023-28461


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Spot the Difference: New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella