Pierluigi Paganini
March 19, 2024
Trend Micro researchers uncovered a sophisticated campaign conducted by a threat actor tracked as Earth Krahang while investigating the activity of China-linked APT Earth Lusca.
The campaign seems active since at least early 2022 and focuses primarily on government organizations.
The APT group was spotted exploiting public-facing servers, it was observed sending spear phishing emails to deliver previously undetected backdoors.
The group often exploited access to government infrastructure to target other government entities. The threat actors used this infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets, leveraging compromised government email accounts. The APT group also established access into victims’ private networks by creating VPN servers on compromised public-facing servers and conducting brute-force attacks to obtain email credentials. Then the attackers used these credentials to steal victim emails.
The group appears to be politically motivated and acting for cyberespionage purposes.
In many attacks, the group scanned public-facing servers with open-source scanning tools.
Earth Krahang was observed exploiting the following vulnerabilities to deploy webshells on target servers and gain a foothold within victim networks:
The spear-phishing messages used by the attackers are designed to deceive victims into opening attachments or clicking on embedded URL links, which ultimately result in the deployment of a backdoor on the victim’s machine. Analysis of the backdoors uploaded on VirusTotal revealed that threat actors utilized geopolitical topics as bait.
Earth Krahang was observed retrieving hundreds of email addresses from their targets during the reconnaissance phase. In one instance, the threat actors used a compromised mailbox from a government entity to send a malicious attachment to 796 email addresses belonging to the same entity.
“Earth Krahang abuses the trust between governments to conduct their attacks. We found that the group frequently uses compromised government webservers to host their backdoors and send download links to other government entities via spear phishing emails. Since the malicious link uses a legitimate government domain of the compromised server, it will appear less suspicious to targets and may even bypass some domain blacklists.” reads the analysis published by Trend Micro.
“In addition, the actor used a compromised government email account to send email to other governments.”
Trend Micro reported that Earth Krahang carried out brute force attacks on Exchange servers through their Outlook Web Access (OWA) portals belonging to its victims. The attackers use a list of common passwords to test the email accounts on the target’s email server. The researchers also observed the APT group using a custom Python script to carry out brute-forcing activity against the ActiveSync service on the OWA server.
Trend Micro also discovered a Python script used to exfiltrate emails from Zimbra servers.
Once obtained access to the target network, Eath Krahang deployed multiple malware and tools, including the post-exploitation tool Cobalt Strike, and the custom backdoors RESHELL and XDealer.
“Since 2023, the Earth Krahang shifted to another backdoor (named XDealer by TeamT5 and DinodasRAT by ESET). Compared to RESHELL, XDealer provides more comprehensive backdoor capabilities. In addition, we found that the threat actor employed both Windows and Linux versions of XDealer to target different systems.” continues the report.
Trend Micro identified 70 victims from 23 different countries. The experts believe that the APT group compromised or targeted organizations in 45 different countries, most of them in Asia and America, but also in Europe and Africa.
“Our previous report suggests Earth Lusca might be the penetration team behind the Chinese company I-Soon, which had their information leaked on GitHub recently. Using this leaked information, we found that the company organized their penetration team into two different subgroups.” concludes the report. “This could be the possible reason why we saw two independent clusters of activities active in the wild but with limited association. Earth Krahang could be another penetration team under the same company.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT)
