Aug 14, 2024Ravie LakshmananThreat Intelligence / Cyber Attack
The China-backed threat actor known as Earth Baku has expanded its target range beyond the Indo-Pacific region, encompassing Europe, the Middle East, and Africa since late 2022.
Newly identified countries in their cyber-attack activities include Italy, Germany, the U.A.E., and Qatar, with suspected incidents also reported in Georgia and Romania. Sectors such as government, media, telecommunications, technology, healthcare, and education are among those targeted by Earth Baku.
“In recent campaigns, the group has upgraded its tools, tactics, and procedures (TTPs), utilizing public-facing applications like IIS servers to launch attacks, followed by deploying sophisticated malware toolsets within the victim’s network,” noted Trend Micro researchers Ted Lee and Theo Chen in a recent analysis.
The latest findings build upon reports from Zscaler and Mandiant, detailing Earth Baku’s use of malware families like DodgeBox (aka DUSTPAN) and MoonWalk (aka DUSTTRAP), with Trend Micro referring to them as StealthReacher and SneakCross.
Earth Baku, affiliated with APT41, has a history of employing StealthVector since October 2020. Their attack chains involve exploiting public-facing applications to deploy the Godzilla web shell, which then delivers subsequent payloads.
StealthReacher is described as an evolved version of the StealthVector backdoor loader, responsible for launching SneakCross, a modular implant believed to be the successor to ScrambleCross, utilizing Google services for its command-and-control (C2) communication.
These attacks also involve the use of post-exploitation tools like iox, Rakshasa, and the VPN service Tailscale. Sensitive data is then exfiltrated to MEGA cloud storage using the command-line utility MEGAcmd.
“Earth Baku has integrated new loaders like StealthVector and StealthReacher to discreetly deploy backdoor components, along with introducing SneakCross as their latest modular backdoor,” highlighted the researchers.
“Additionally, they utilized various tools for post-exploitation, including a customized iox tool, Rakshasa, TailScale for persistence, and MEGAcmd for efficient data exfiltration.”