Earth Baku, an APT actor who initially focused on the Indo-Pacific region, has grown its activities extensively since late 2022.
The group has increased its presence in Europe, the Middle East, and Africa (MEA), having also confirmed engagements in Italy, Germany, UAE and Qatar.
Cybersecurity researchers at Trend Micro recently discovered that Earth Baku has been using customized tools to maintain persistence and steal data.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Earth Baku has revived its methods of operation (MO) upgrading to employ public-facing applications such as Internet Information Services (IIS) servers as the initial point of entry.
After a successful breach, they plant a sophisticated malware stockpile composed of StealthVector and StealthReacher loaders plus SneakCross backdoor which is modular in nature.
Moreover, these countries may be exposed to threats due to observed connections via Georgia to the group’s infrastructure and many downloads containing malware from Romania.
This marks a significant turning point in Earth Baku’s global cyber operations and potential impact.
The targeted sectors included the Government, Media and Communications, Telecom, Technology, Healthcare, and Education, reads the report.
IIS servers are exploited by Earth Baku in recent operations to become an entry point with Godzilla webshell for starting control. After this, the group employs two main loaders:-
Different backdoor components are launched by a number of StealthVector variants which are updated with AES encryption and code virtualization. SneakCross is a brand new one among these, it is a highly improved version of StealthReacher.
These loaders, moreover, utilize advanced evasion strategies such as DLL hollowing and switching off security features like ETW and CFG.
The latest modular backdoor from Earth Baku called SneakCross makes use of Google services for command-and-control communication and Windows Fibers for detection avoidance.
This suite of highly sophisticated malware also utilizes readily available reverse tunneling tools to gain persistent access while MEGAcmd serves as its exfiltration tool.
Earth Baku’s sophistication in cyber operations has grown over time due to their evolving tactics such as the shift from ScrambleCross to more developed SneakCross.
Here below we have mentioned all the plugins that support various backdoor functions:-
The post-exploitation arsenal of Earth Baku shows an advanced method of maintaining access and getting data out.
For persistence, a variety of reverse tunneling tools are used including customized iox with fewer parameters and -ggg flag (an adapted version), multi-level proxying, and inner network penetration through Go-based Rakshasa, Tailscale VPN as the compromised systems become part of their virtual network making it hard to be traced back.
MEGAcmd is used for data exfiltration as well as MEGA cloud storage for fast uploads of large volumes of data.
These advanced tactics are also coupled by a wider geographical coverage by Earth Baku that has expanded its influence from the Indian and Pacific Ocean region towards Europe and Middle East Africa (MEA).
Here below we have mentioned all the recommendations:-
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces
Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…
Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…
The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…
Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…
Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…
Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…