{"description": "Enterprise techniques used by LODEINFO, ATT&CK software S9020 (v1.0)", "name": "LODEINFO (S9020)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) has used Registry run keys to set persistence.(Citation: ESET MirrorFace DEC 2022)(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can use VBA to drop malicious components on targeted hosts.(Citation: Kaspersky LODEINFO OCT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "\n[LODEINFO](https://attack.mitre.org/software/S9020) can incorporate a ransom command to encrypt specified files and folders.(Citation: Kaspersky LODEINFO Part II OCT 2022)(Citation: ESET MirrorFace DEC 2022)(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1005", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can upload files from infected hosts to the C2.(Citation: Kaspersky LODEINFO Part II OCT 2022)(Citation: ESET MirrorFace DEC 2022)(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.001", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can append C2 communication with randomly generated junk data.(Citation: Kaspersky LODEINFO Part II OCT 2022)(Citation: ESET MirrorFace DEC 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) has collected stolen web cookies locally in the `%TEMP%` folder.(Citation: ESET MirrorFace DEC 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can encrypt C2 communication with a hardcoded (NV4HDOeOVyL) Vigenere cipher key.(Citation: Kaspersky LODEINFO Part II OCT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can halt execution if the \u201cen_US\u201d locale is identified on a victim's machine.(Citation: Kaspersky LODEINFO Part II OCT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can exfiltrate collected credentials and browser cookies to the C2 server.(Citation: ESET MirrorFace DEC 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "\n[LODEINFO](https://attack.mitre.org/software/S9020) has the ability to designate specific files and folders to encryption.(Citation: ESET MirrorFace DEC 2022)(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can use legitimate EXE files to sideload malicious DLLs.(Citation: Kaspersky LODEINFO OCT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can delete files to remove traces of activity from victim systems.(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) has the ability to download additional files from the C2.(Citation: Kaspersky LODEINFO Part II OCT 2022)(Citation: ESET MirrorFace DEC 2022)(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can capture keystrokes on targeted systems.(Citation: ESET MirrorFace DEC 2022)(Citation: ITOCHU LODEINFO JAN 2024)(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can use Windows APIs such as `VirtualAllocEx()`, `WriteProcessMemory()`, `CreateRemoteThread()`, `NtAllocateVirtualMemory()`, `NtWriteVirtualMemory()`, and `RtlCreateUserThread()` to enable memory injection of shellcode.(Citation: Kaspersky LODEINFO Part II OCT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) has used control flow flattening to obfuscate code.(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can use a hashing algorithm to dynamically resolve API function addresses.(Citation: Kaspersky LODEINFO Part II OCT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "The [LODEINFO](https://attack.mitre.org/software/S9020) loader module contains XOR-encrypted shellcode.(Citation: Kaspersky LODEINFO OCT 2022)(Citation: Kaspersky LODEINFO Part II OCT 2022)(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) components have been compressed with zip for delivery.(Citation: Kaspersky LODEINFO OCT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) has inserted junk code to obstruct code analysis.(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) has been distributed to targeted victims via malicious email attachments.(Citation: Kaspersky LODEINFO OCT 2022)(Citation: ESET MirrorFace DEC 2022)(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can kill a process using specific process ID.(Citation: Kaspersky LODEINFO Part II OCT 2022)(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can inject shellcode into the memory of compromised hosts.(Citation: Kaspersky LODEINFO Part II OCT 2022)(Citation: ESET MirrorFace DEC 2022)(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can run `net view` and `net view /domain` for network discovery.(Citation: ESET MirrorFace DEC 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) has the ability to take screenshots.(Citation: Kaspersky LODEINFO Part II OCT 2022)(Citation: ESET MirrorFace DEC 2022)(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1539", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can list the contents of `%LocalAppData%\\Google\\Chrome\\User Data\\` and `%LocalAppData%\\Microsoft\\Edge\\User Data\\` to obtain cookies.(Citation: ESET MirrorFace DEC 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can disover machine information including OS architecture, the ANSI code page (ACP) identifier, and hostname.(Citation: Kaspersky LODEINFO Part II OCT 2022)(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can looks for the \u201cen_US\u201d locale on the victim\u2019s machine.(Citation: Kaspersky LODEINFO Part II OCT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can enumerate the MAC address of the compromised host.(Citation: Kaspersky LODEINFO OCT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can identify the associated username on targeted machines.(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can capture system time to send to the C2.(Citation: Kaspersky LODEINFO Part II OCT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) has been executed via victims opening malicious email attachments.(Citation: Kaspersky LODEINFO OCT 2022)(Citation: ESET MirrorFace DEC 2022)(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[LODEINFO](https://attack.mitre.org/software/S9020) can execute commands with WMI.(Citation: Kaspersky LODEINFO Part II OCT 2022)(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by LODEINFO", "color": "#66b1ff"}]}