Saturday, September 7, 2024
HomeCyber AttackEarth Baku Using Customized Tools To Maintain Persistence And Steal Data

Earth Baku Using Customized Tools To Maintain Persistence And Steal Data

Published on

Earth Baku, an APT actor who initially focused on the Indo-Pacific region, has grown its activities extensively since late 2022.

The group has increased its presence in Europe, the Middle East, and Africa (MEA), having also confirmed engagements in Italy, Germany, UAE and Qatar.

Cybersecurity researchers at Trend Micro recently discovered that Earth Baku has been using customized tools to maintain persistence and steal data.

- Advertisement - EHA

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Technical Analysis

Earth Baku has revived its methods of operation (MO) upgrading to employ public-facing applications such as Internet Information Services (IIS) servers as the initial point of entry.

After a successful breach, they plant a sophisticated malware stockpile composed of StealthVector and StealthReacher loaders plus SneakCross backdoor which is modular in nature.

Moreover, these countries may be exposed to threats due to observed connections via Georgia to the group’s infrastructure and many downloads containing malware from Romania.

This marks a significant turning point in Earth Baku’s global cyber operations and potential impact.

The targeted sectors included the Government, Media and Communications, Telecom, Technology, Healthcare, and Education, reads the report.

IIS servers are exploited by Earth Baku in recent operations to become an entry point with Godzilla webshell for starting control. After this, the group employs two main loaders:- 

  • StealthVector
  • StealthReacher

Different backdoor components are launched by a number of StealthVector variants which are updated with AES encryption and code virtualization. SneakCross is a brand new one among these, it is a highly improved version of StealthReacher.

Infection vector (Source – Trend Micro)

These loaders, moreover, utilize advanced evasion strategies such as DLL hollowing and switching off security features like ETW and CFG.

The latest modular backdoor from Earth Baku called SneakCross makes use of Google services for command-and-control communication and Windows Fibers for detection avoidance.

This suite of highly sophisticated malware also utilizes readily available reverse tunneling tools to gain persistent access while MEGAcmd serves as its exfiltration tool.

Earth Baku’s sophistication in cyber operations has grown over time due to their evolving tactics such as the shift from ScrambleCross to more developed SneakCross.

Here below we have mentioned all the plugins that support various backdoor functions:-

  • Shell Operations
  • File System Operations
  • Process Operations
  • Network Probing
  • Network Store Interface Operations
  • Screen Operations
  • System Information Discovery
  • File Manipulation Operations
  • Keylogger
  • Active Directory Operations
  • File Uploader
  • RDP
  • DNS Operations
  • DNS Cache Operations
  • Registry Operations

The post-exploitation arsenal of Earth Baku shows an advanced method of maintaining access and getting data out.

For persistence, a variety of reverse tunneling tools are used including customized iox with fewer parameters and -ggg flag (an adapted version), multi-level proxying, and inner network penetration through Go-based Rakshasa, Tailscale VPN as the compromised systems become part of their virtual network making it hard to be traced back.

MEGAcmd is used for data exfiltration as well as MEGA cloud storage for fast uploads of large volumes of data.

These advanced tactics are also coupled by a wider geographical coverage by Earth Baku that has expanded its influence from the Indian and Pacific Ocean region towards Europe and Middle East Africa (MEA).

Recommendations

Here below we have mentioned all the recommendations:-

  • Always implement the principle of least privilege.
  • Make sure to address the security gaps.
  • Develop a proactive incident response strategy.
  • Make sure to maintain at least three backup copies of corporate data.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Researchers Unpacked AvNeutralizer EDR Killer Used By FIN7 Group

FIN7 (aka Carbon Spider, ELBRUS, Sangria Tempest) is a Russian APT group that is...

Lazarus Hackers Attacking Job-Seekers to Deliver Javascript Malware

The Lazarus Group is one of the most notorious hacker groups linked to the...