Trend Micro researchers report on a new APT Earth Krahang cyber espionage campaign targeting 70 government agencies in 23 countries, with a particular focus on Southeast Asia, but also targeting Europe, the Americas, and Africa.
One of the attacker's favorite tactics involves using malicious access to government infrastructure to attack other government agencies.
By abusing it, Earth Krahang implements malicious payload placement, proxy attack traffic, and sending phishing emails with attachments or embedded URL links from compromised accounts.
The further chain included Cobalt Strike and two special backdoors RESHELL and XDealer.
RESHELL is a simple backdoor .NET, which has the ability to collect information, upload files, or execute system commands. Its binaries are packaged in ConfuserEx, and its data exchange with C2 is encrypted using AES.
Since 2023, Earth Krahang has moved to another backdoor with more extensive capabilities (called XDealer from TeamT5 and DinodasRAT from ESET), attacking Windows and Linux systems. Moreover, the backdoor is still under active development.
It is worth noting that many early XDealer samples were developed as a DLL file packaged with the installer, a Steer module DLL, a text file content identifier string, and an LNK file.
The LNK file starts the installer, which then installs the XDealer DLL and the Steer module DLL on the victim's computer. The Stealer module can take screenshots, steal clipboard data, and log keystrokes.
Moreover, some of the XDealer DLL loaders were signed with valid code signing certificates issued by GlobalSign to two Chinese companies.
Cobalt Strike was also often used in the initial stage of the attack. At the same time, Earth Krahang added additional protection to its C2 server by implementing the open source project RedGuard.
Earth Krahang also creates VPN servers (SoftEther) on compromised public servers to access victims ' network and conduct bruteforce to email credentials and steal correspondence.
It uses sqlmap, kernel, xray, vscan, pocsuite, and wordpressscan to scan and access the server.
Using telemetry data, the researchers also found that the attacker also hosted PlugX and ShadowPad samples in the victims ' environments.
The investigation revealed numerous links between Earth Krahang and Earth Lusca, which may indicate that the two intrusion groups are controlled by the same attacker.
One of the attacker's favorite tactics involves using malicious access to government infrastructure to attack other government agencies.
By abusing it, Earth Krahang implements malicious payload placement, proxy attack traffic, and sending phishing emails with attachments or embedded URL links from compromised accounts.
The further chain included Cobalt Strike and two special backdoors RESHELL and XDealer.
RESHELL is a simple backdoor .NET, which has the ability to collect information, upload files, or execute system commands. Its binaries are packaged in ConfuserEx, and its data exchange with C2 is encrypted using AES.
Since 2023, Earth Krahang has moved to another backdoor with more extensive capabilities (called XDealer from TeamT5 and DinodasRAT from ESET), attacking Windows and Linux systems. Moreover, the backdoor is still under active development.
It is worth noting that many early XDealer samples were developed as a DLL file packaged with the installer, a Steer module DLL, a text file content identifier string, and an LNK file.
The LNK file starts the installer, which then installs the XDealer DLL and the Steer module DLL on the victim's computer. The Stealer module can take screenshots, steal clipboard data, and log keystrokes.
Moreover, some of the XDealer DLL loaders were signed with valid code signing certificates issued by GlobalSign to two Chinese companies.
Cobalt Strike was also often used in the initial stage of the attack. At the same time, Earth Krahang added additional protection to its C2 server by implementing the open source project RedGuard.
Earth Krahang also creates VPN servers (SoftEther) on compromised public servers to access victims ' network and conduct bruteforce to email credentials and steal correspondence.
It uses sqlmap, kernel, xray, vscan, pocsuite, and wordpressscan to scan and access the server.
Using telemetry data, the researchers also found that the attacker also hosted PlugX and ShadowPad samples in the victims ' environments.
The investigation revealed numerous links between Earth Krahang and Earth Lusca, which may indicate that the two intrusion groups are controlled by the same attacker.
