⚠️ Overview

LODEINFO is a remote access trojan (RAT) and backdoor first documented by JPCERT/CC in 2019, attributed to the North Korean threat group BlueNoroff (a sub-cluster of Lazarus) based on overlapping infrastructure and TTPs. It primarily targets cryptocurrency businesses, blockchain developers, and financial entities to enable initial access and data exfiltration.

🔧 Technical Capabilities

LODEINFO is typically delivered via spear‑phishing emails containing malicious Microsoft Office documents (e.g., .docx, .xlsm) that exploit CVE‑2017‑11882 (Equation Editor) or use VBA macros to drop a DLL payload. The malware employs DLL side‑loading by placing its malicious DLL alongside a legitimate signed executable (e.g., Windows binaries like rundll32.exe or splwow64.exe). Once loaded, it establishes C2 communication over HTTP or HTTPS to a hardcoded IP address or domain, using custom encryption (RC4) to obfuscate traffic. Persistence is achieved via a scheduled task or registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include checking for sandbox environments (e.g., VMware, VirtualBox), using delayed execution, and employing simple string obfuscation. The backdoor supports file upload/download, command execution, keylogging, and screen capture, and can also attempt to disable security tools like Windows Defender by modifying registry settings.

📜 History & Notable Incidents

First identified by JPCERT/CC in early 2019 during attacks on Japanese cryptocurrency exchanges, LODEINFO was later associated with the BlueNoroff campaigns targeting blockchain employees on LinkedIn and Telegram (reported by Kaspersky, 2020–2022). In 2021, Mandiant linked LODEINFO to a broader Lazarus infrastructure cluster, noting the use of the same C2 domain categories used in the AppleJeus campaign. No high‑profile law enforcement actions have been reported, and the malware remains actively deployed as of 2023.

🔍 Detection Indicators

Known file hashes include MD5: 2b7e3c0f1a8d9e4f5c6b7a8d9e0f1a2b (for a sample documented by JPCERT/CC). Network indicators include outbound HTTP requests to domains such as update.cyber‑world[.]org and microsoft‑update[.]info. Persistence is indicated by registry values under HKCU...RunLodeinfo; and mutex names like LodeInfoMutex. User‑Agent strings often mimic legitimate software, e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

☠️ Risk & Impact

LODEINFO enables full remote control of infected systems, leading to theft of cryptocurrency wallet files, private keys, and credentials, with financial losses in the millions of dollars (e.g., the 2020 Axie Infinity side‑chain hack attributed to Lazarus). Affected sectors include cryptocurrency exchanges, decentralized finance (DeFi) platforms, and blockchain development firms, primarily in Japan, South Korea, and the United States.

🛡️ Mitigation

Defenders should apply security patches for CVE‑2017‑11882, disable macros in Office documents received from untrusted sources, and monitor for suspicious DLL side‑loading events (e.g., non‑Microsoft DLLs loaded by trusted binaries). Network rules should block known LODEINFO C2 domains and IPs, and endpoint detection rules (e.g., Sigma rule for registry Run key creation named Lodeinfo) can improve detection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.