print PRINT

SECURITY > Cybersecurity

New type of rapidly evolving malware targets Japan

  • July 14, 2020
  • , Nikkei , p. 32
  • JMH Translation

A new type of malware observed in cyberattacks on Japanese companies and government agencies has been rapidly enhanced with many upgrades in a short period of time. According to a commercial security organization, the malware has not been observed outside Japan and may have been developed with Japan as its target.


“LODEINFO” is a malware that works remotely to remove information from infected terminals, according to Japan Computer Emergency Response Team (JPCERT) Coordination Center, a Tokyo-based security organization. A command can be sent from outside the network to spread the infection within the network.


JPCERT confirmed that 16 emails embedded with LODEINFO were sent to multiple media companies and government agencies between December 2019 and June 2020. JPCERT is not aware of any cases outside Japan.


Another individual in the security field says Japanese think tanks and defense-related organizations have received such emails. Infections occurred at multiple companies due to people opening email attachments.


Many of the emails are sent from free email accounts such as Gmail. The emails had subjects in Japanese related to the new coronavirus, or pretended to send a CV or resume. A terminal becomes infected when the user clicks a “content validation” or other similar button in the attached Word or Excel file.


According to JPCERT, LODEINFO has undergone at least six updates since December 2019. In April 2020, a functionality that enables the malware to steal screenshots of infected terminals as image data was added.


In mid-June 2020, it was discovered that the LODEINFO added a functionality which encrypts data in the infected terminal to disable its use. It is suspected that the malware is being used in attacks to demand “ransom” in exchange for a decryption key or that the attacker is trying to erase evidence of the attack.


LODEINFO’s specifications such as infection method and timing have changed many times. This may be an attempt to avoid detection as malware.


Kota Kino, a malware analyst at JPCERT, says that it is “rare for a malware to be updated so many times in a short time span.”


Gen Yanagishita, senior researcher at Macnica Networks Security Research Center who decoded LODEINFO, points out that the coding of LODEINFO and malware used in the past by “APT10,” a cyberspy group based in China are similar.


APT10 has launched cyberattacks in the U.S., Europe, and Japan on a wide range of industries from aerospace, automotive, and finance. It has stolen confidential information and cutting edge technologies.


On December 2018, the U.S. Justice Department announced the indictment of two Chinese hackers determined to be APT10 members. The FBI put the two hackers on its wanted list.


At the moment, there is no definitive evidence to connect LODEINFO and APT10. It is common for cyberattackers to hide their identities and pretend to be different groups.


JPCERT’s Kino says that the attacker’s identity is unknown, but it is highly likely that someone is frequently launching cyberattacks targeting Japan.

  • Ambassador
  • Ukraine
  • COVID-19
  • Trending Japan