Date: 11/22/2024
Severity: High
Summary
LODEINFO is malware primarily targeting Japan since 2019, attributed to a group Trend Micro tracks as Earth Kasha. While some vendors link this group to APT10, there is insufficient evidence to confirm the connection. Trend Micro treats APT10 and Earth Kasha as separate entities but uses the term “APT10 Umbrella” to describe intrusion sets potentially related to APT10. Earth Kasha, known for targeting public institutions and academics via spear-phishing, launched a new campaign from early 2023 to 2024 with updated strategies, tactics, and tools.
Indicators of Compromise (IOC) List
Domains\URLs : | ns1.tlsart.com DGA.hopto.org DGA.gotdns.ch DGA.myftp.org DGA.tw8sl.com DGA.srmbr.com |
IP Address : | 45.76.197.236 |
Hash : |
9c681493c81581995e6a48b96411a7004fe77558d7ca863e26398538ad78f385
8574a494425825958c1e978ca7f66a467954fa90c7c898eebac49928519f0eae
87fd4cf002e4d3867462c7a08124cba154750ae78785009a9f213c7479241eef |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\Urls : | userdomainname like "ns1.tlsart.com" or url like "ns1.tlsart.com" or userdomainname like "DGA.srmbr.com" or url like "DGA.srmbr.com" or userdomainname like "DGA.tw8sl.com" or url like "DGA.tw8sl.com" or userdomainname like "DGA.myftp.org" or url like "DGA.myftp.org" or userdomainname like "DGA.hopto.org" or url like "DGA.hopto.org" or userdomainname like "DGA.gotdns.ch" or url like "DGA.gotdns.ch" |
IP Address : | dstipaddress IN ("45.76.197.236") or ipaddress IN ("45.76.197.236") or publicipaddress IN ("45.76.197.236") or srcipaddress IN ("45.76.197.236") |
Hash : |
sha256hash IN ("8574a494425825958c1e978ca7f66a467954fa90c7c898eebac49928519f0eae","9c681493c81581995e6a48b96411a7004fe77558d7ca863e26398538ad78f385","87fd4cf002e4d3867462c7a08124cba154750ae78785009a9f213c7479241eef") |
Reference:
https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html