The government and telecommunications sector in Southeast Asia have been targeting a “sophisticated” campaign since June 2024 by a new Advanced Persistent Threat (APT) group called Earth Kurma.
Attacks are using micro-trends to utilize custom malware, rootkits and cloud storage services for data removal. The Philippines, Vietnam, Thailand and Malaysia are one of the prominent targets.
“This campaign poses high business risks through targeted spying, qualification theft, persistent scaffolding established through kernel-level rootkits, and data removal via trusted cloud platforms,” security researchers Nick Dye and Sunny Lou said in an analysis published last week.
The activities of threat actors date back to November 2020, with intrusions relying primarily on services such as Dropbox and Microsoft Onedrive using tools such as TESDAT and SimpoboxSpy.
Two other notable malware families in the Armory include Rootkits such as Krnrat and Moriya. The latter has been previously observed in attacks targeting well-known organizations in Asia and Africa as part of a Tunnelsnake called the espionage campaign.
Trend Micro also said that the SimpoboxSpy and exfiltration scripts used in the attack overlap with another APT group called Toddycat. However, the decisive attribution remains decisive.
Currently, it is not currently known how threat actors gain initial access to their target environment. The initial scaffolding is then abused and scans and performs lateral movement using a variety of tools such as NBTSCAN, LADON, FRPC, WMIHACKER, ICMPINGER, and more. What is being deployed is a keylogger called Kmlog to harvest the credentials.
It is worth noting that the use of the open source radon framework was attributed to a China-related hacking group previously known as TA428 (aka Visicic Panda).
Host persistence is achieved by three different loader strains called Dunloader, Tesdat, and DMLoader, which can load and run the payload of the next stage into memory. These consist of cobalt strike beacons, rootkits like Krnrat and Moriya, and data removal malware.
What distinguishes these attacks is the use of the lood-the-land-the-land (lotl) technique to install legitimate system tools and features, in this case, rootkits that use Syssetup.dll, rather than introducing malware that can be easily detected by hackers.
While Moriya is designed to inspect incoming TCP packets in malicious payloads and inject shellcode into the newly generated “svChost.exe” process, KRNRAT is a fusion of five different open source projects with the capabilities of process operations, potential execution of files, execution of shellcode, command and control.
Krnrat, like Moriya, is designed to load rootkit into the user mode agent and inject it into “svchost.exe”. The user mode agent acts as a backdoor to retrieve subsequent payloads from the C2 server.
“Before removing the files, some commands executed by the loader TESDAT collected specific document files in .pdf, .doc, .docx, .docx, .xls, .xlsx, and .pptx for .pdf, .doc, .docx, .xlsx, .pptx, and .pptx. “The documents are first placed in a newly created folder named ‘TMP’. This is archived using Winrar with a specific password. ”
One of the bespoke tools used to exfoliate data is simpoboxSpy, which allows you to upload RAR archives to dropboxes with specific access tokens. According to a report by Kasperksy in October 2023, generic dropbox uploaders are “probably not used exclusively by ToddyCat.”
Another program used for the same purpose, Odriz uploads the collected information to OneDrive by specifying the OneDrive Refresh token as an input parameter.
“Earth cars are very active and continue to target countries around Southeast Asia,” Trend Micro said. “They have the ability to adapt to their victim environment and maintain a stealth presence.”
“They can also customize their toolset by reusing the same codebase from previously identified campaigns, and sometimes they can leverage the victim’s infrastructure to achieve their goals.”
Source link
