Cybercriminals hijacked well known AV software
Well-known Chinese threat actors have been discovered abusing a flaw in a known antivirus application to deliver malware to selected targets in Japan.
Cybersecurity researchers from the Kaspersky lab spotted Cicada (APT10), which was tricking employees at various organizations from Japan into downloading compromised versions of the company’s K7Security Suite.
Companies that include government agencies and media firms who fall for the trick end up getting LODEINFO, which is a three-year-old malware app that is, among other things, capable of executing PE files and shellcode, killing processes, and uploading and downloading files.
Cicada malware has been distributed with a method known as DLL sideloading where the victim first has to download a fake K7Security Suite. Interestingly the installation executable itself isn’t malicious, but the folder with installation will usually carry malicious K7SysMn1.dll files.
K7SysM1.dll file is part of the K7Security Suite installation and the setup cannot distinguish the valid vs malicious file.
Since the file has been loaded by legitimate security applications, other security software probably won’t be able to detect it as malicious.
Security researchers couldn’t determine how many organizations fall for this trick or what is the actual goal of this campaign, although cyber espionage is the most probable answer.