Saturday, January 18, 2025
HomeCyber AttackEarth Baku Using Customized Tools To Maintain Persistence And Steal Data

Earth Baku Using Customized Tools To Maintain Persistence And Steal Data

Published on

SIEM as a Service

Follow Us on Google News

Earth Baku, an APT actor who initially focused on the Indo-Pacific region, has grown its activities extensively since late 2022.

The group has increased its presence in Europe, the Middle East, and Africa (MEA), having also confirmed engagements in Italy, Germany, UAE and Qatar.

Cybersecurity researchers at Trend Micro recently discovered that Earth Baku has been using customized tools to maintain persistence and steal data.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Technical Analysis

Earth Baku has revived its methods of operation (MO) upgrading to employ public-facing applications such as Internet Information Services (IIS) servers as the initial point of entry.

After a successful breach, they plant a sophisticated malware stockpile composed of StealthVector and StealthReacher loaders plus SneakCross backdoor which is modular in nature.

Moreover, these countries may be exposed to threats due to observed connections via Georgia to the group’s infrastructure and many downloads containing malware from Romania.

This marks a significant turning point in Earth Baku’s global cyber operations and potential impact.

The targeted sectors included the Government, Media and Communications, Telecom, Technology, Healthcare, and Education, reads the report.

IIS servers are exploited by Earth Baku in recent operations to become an entry point with Godzilla webshell for starting control. After this, the group employs two main loaders:- 

  • StealthVector
  • StealthReacher

Different backdoor components are launched by a number of StealthVector variants which are updated with AES encryption and code virtualization. SneakCross is a brand new one among these, it is a highly improved version of StealthReacher.

Infection vector (Source – Trend Micro)

These loaders, moreover, utilize advanced evasion strategies such as DLL hollowing and switching off security features like ETW and CFG.

The latest modular backdoor from Earth Baku called SneakCross makes use of Google services for command-and-control communication and Windows Fibers for detection avoidance.

This suite of highly sophisticated malware also utilizes readily available reverse tunneling tools to gain persistent access while MEGAcmd serves as its exfiltration tool.

Earth Baku’s sophistication in cyber operations has grown over time due to their evolving tactics such as the shift from ScrambleCross to more developed SneakCross.

Here below we have mentioned all the plugins that support various backdoor functions:-

  • Shell Operations
  • File System Operations
  • Process Operations
  • Network Probing
  • Network Store Interface Operations
  • Screen Operations
  • System Information Discovery
  • File Manipulation Operations
  • Keylogger
  • Active Directory Operations
  • File Uploader
  • RDP
  • DNS Operations
  • DNS Cache Operations
  • Registry Operations

The post-exploitation arsenal of Earth Baku shows an advanced method of maintaining access and getting data out.

For persistence, a variety of reverse tunneling tools are used including customized iox with fewer parameters and -ggg flag (an adapted version), multi-level proxying, and inner network penetration through Go-based Rakshasa, Tailscale VPN as the compromised systems become part of their virtual network making it hard to be traced back.

MEGAcmd is used for data exfiltration as well as MEGA cloud storage for fast uploads of large volumes of data.

These advanced tactics are also coupled by a wider geographical coverage by Earth Baku that has expanded its influence from the Indian and Pacific Ocean region towards Europe and Middle East Africa (MEA).

Recommendations

Here below we have mentioned all the recommendations:-

  • Always implement the principle of least privilege.
  • Make sure to address the security gaps.
  • Develop a proactive incident response strategy.
  • Make sure to maintain at least three backup copies of corporate data.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Hackers Deploy Web Shell To Abuse IIS Worker And Exfiltrate Data

An attacker exploited a vulnerability in the batchupload.aspx and email_settings.aspx pages on the target...

New Botnet Exploiting DNS Records Misconfiguration To Deliver Malware

Botnets are the networks of compromised devices that have evolved significantly since the internet's...

Thousands of PHP-based Web Applications Exploited to Deploy Malware

A significant cybersecurity threat has emerged, threatening the integrity of thousands of PHP-based web...