Criminals hijack antivirus software to deliver malware

Antivirus Software
(Image credit: Shutterstock)

A known Chinese threat actor has been found abusing a flaw in a well-known antivirus program to deliver malware to high-profile targets in Japan.

Cybersecurity researchers at Kaspersky recently spotted Cicada, also known as APT10,  tricking employees at various organizations in Japan - from media firms to government agencies - into downloading a compromised version of the company’s K7Security Suite.   

Those that fall for the trick end up getting LODEINFO, a three-year-old malware that’s capable of executing PE files and shellcode, uploading and downloading files, killing processes, and sending out file lists, among other things.

DLL sideloading

The malware is being distributed through a practice known as DLL sideloading. First, the victim needs to be led to a fake K7Security Suite download page, where they’d download the software. The installation executable itself wouldn’t be malicious - it would be the actual antivirus solution. However, the same folder would also carry a malicious DLL named K7SysMn1.dll. 

During regular installation, the executable will look for a file named K7SysMn1.dll, which is usually not malicious. If it finds it in the same folder where it sits, it won’t look any further and will run that file, instead. 

The threat actors would then create a malicious file, containing the LODEINFO malware, and give it the K7SysMn1.dll filename. In other words, it’s the antivirus program that ends up loading the malware onto the target endpoint. And given that a legitimate security application loads it, other security software might not detect it as malicious. 

The researchers were not able to determine how many organizations fell prey to this attack, or what the end goal of the campaign is. Given who the targets are, cyber espionage is the most obvious answer, though.

Side-loading .DLL files is no novel approach. In August 2022, it was reported that Windows Defender was abused to side-load LockBit 3.0, an infamous ransomware variant. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.