Earth Baku Using Customized Tools To Maintain Persistence And Steal Data

Earth Baku, an APT actor who initially focused on the Indo-Pacific region, has grown its activities extensively since late 2022.

The group has increased its presence in Europe, the Middle East, and Africa (MEA), having also confirmed engagements in Italy, Germany, UAE and Qatar.

Cybersecurity researchers at Trend Micro recently discovered that Earth Baku has been using customized tools to maintain persistence and steal data.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Technical Analysis

Earth Baku has revived its methods of operation (MO) upgrading to employ public-facing applications such as Internet Information Services (IIS) servers as the initial point of entry.

After a successful breach, they plant a sophisticated malware stockpile composed of StealthVector and StealthReacher loaders plus SneakCross backdoor which is modular in nature.

Moreover, these countries may be exposed to threats due to observed connections via Georgia to the group’s infrastructure and many downloads containing malware from Romania.

This marks a significant turning point in Earth Baku’s global cyber operations and potential impact.

The targeted sectors included the Government, Media and Communications, Telecom, Technology, Healthcare, and Education, reads the report.

IIS servers are exploited by Earth Baku in recent operations to become an entry point with Godzilla webshell for starting control. After this, the group employs two main loaders:- 

• StealthVector
• StealthReacher

Different backdoor components are launched by a number of StealthVector variants which are updated with AES encryption and code virtualization. SneakCross is a brand new one among these, it is a highly improved version of StealthReacher.

These loaders, moreover, utilize advanced evasion strategies such as DLL hollowing and switching off security features like ETW and CFG.

The latest modular backdoor from Earth Baku called SneakCross makes use of Google services for command-and-control communication and Windows Fibers for detection avoidance.

This suite of highly sophisticated malware also utilizes readily available reverse tunneling tools to gain persistent access while MEGAcmd serves as its exfiltration tool.

Earth Baku’s sophistication in cyber operations has grown over time due to their evolving tactics such as the shift from ScrambleCross to more developed SneakCross.

Here below we have mentioned all the plugins that support various backdoor functions:-

• Shell Operations
• File System Operations
• Process Operations
• Network Probing
• Network Store Interface Operations
• Screen Operations
• System Information Discovery
• File Manipulation Operations
• Keylogger
• Active Directory Operations
• File Uploader
• RDP
• DNS Operations
• DNS Cache Operations
• Registry Operations

The post-exploitation arsenal of Earth Baku shows an advanced method of maintaining access and getting data out.

For persistence, a variety of reverse tunneling tools are used including customized iox with fewer parameters and -ggg flag (an adapted version), multi-level proxying, and inner network penetration through Go-based Rakshasa, Tailscale VPN as the compromised systems become part of their virtual network making it hard to be traced back.

MEGAcmd is used for data exfiltration as well as MEGA cloud storage for fast uploads of large volumes of data.

These advanced tactics are also coupled by a wider geographical coverage by Earth Baku that has expanded its influence from the Indian and Pacific Ocean region towards Europe and Middle East Africa (MEA).

Recommendations

Here below we have mentioned all the recommendations:-

• Always implement the principle of least privilege.
• Make sure to address the security gaps.
• Develop a proactive incident response strategy.
• Make sure to maintain at least three backup copies of corporate data.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces