August 14, 2024Ravie LakshmananThreat Intelligence / Cyber Attacks
Since late 2022, the China-backed threat group known as Earth Baku has diversified its targeting range beyond the Indo-Pacific region to include Europe, the Middle East and Africa.
Newly targeted countries as part of this operation include Italy, Germany, the UAE and Qatar, with suspected attacks also detected in Georgia and Romania. Government, media and communications, telecommunications, technology, healthcare and education are some of the sectors that were specifically featured as part of the intrusion set.
“The group has updated its tools, tactics and procedures (TTPs) in recent attacks, leveraging public-facing applications such as IIS servers as attack entry points before deploying advanced malware toolsets into victim environments,” Trend Micro researchers Ted Lee and Teo Chen said in an analysis published last week.
The findings come on the heels of a recent report by Zscaler and Google-owned Mandiant, which also detailed the threat actors' use of malware families such as DodgeBox (aka DUSTPAN) and MoonWalk (aka DUSTTRAP), which Trend Micro has named StealthReacher and SneakCross.
Earth Baku, a threat actor associated with APT41, has been known to use StealthVector since October 2020. The attack chain involves exploiting a public-facing application to drop a Godzilla web shell, which is then used to deliver subsequent payloads.
StealthReacher is classified as an enhanced version of the StealthVector backdoor loader that launches SneakCross, a modular implant that leverages Google services for command and control (C2) communications and is a possible successor to ScrambleCross.
What is unique about this attack is that it also uses other post-exploitation tools, such as Virtual Private Network (VPN) services called iox, Rakshasa, and Tailscale. The exfiltration of sensitive data to the MEGA cloud storage service is carried out by a command line utility called MEGAcmd.
“The group has begun covertly launching backdoor components using new loaders such as Stealth Vector and Stealth Reacher, and has added SneakCross as its latest modular backdoor,” the researchers said.
“Earth Baku also used several tools in the post-exploitation stage, including customized iox tools, Rakshasa, TailScale for persistence, and MEGAcmd for efficient data exfiltration.”
Did you find this article interesting? Follow us Twitter: To read more exclusive content we post, check us out on LinkedIn.
Source link
