Starting in March 2022, Kaspersky noticed that the APT10 attacks in Japan used a new infection vector, including a spear-phishing email, a self-extracting (SFX) RAR file, and abusing a DLL side-loading flaw in security software.
The RAR archive contains the legitimate K7Security Suite software executable, NRTOLD.exe, and a malicious DLL named K7SysMn1.dll. When NRTOLD.exe is executed, it will attempt to load the legitimate K7SysMn1.dll file that is normally included in the software suite..
However, the executable does not look for the DLL in a specific folder and thus allows malware developers to create a malicious DLL using the same name as K7SysMn1.dll.
