Friday, January 24, 2025
HomeCyber AttackEarth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Published on

SIEM as a Service

Follow Us on Google News

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India, Taiwan, and Japan, leveraging spear-phishing and exploiting vulnerabilities in public-facing applications like SSL-VPN and file storage services. 

The group has deployed various backdoors, including Cobalt Strike, LODEINFO, and the newly discovered NOOPDOOR, to maintain persistent access to compromised networks, which pose a significant threat to organizations in the targeted regions, particularly those in advanced technology and government sectors. 

 overview of relationships of Earth Kasha

It initially compromised systems using legitimate Microsoft tools to gather system information and domain credentials, then employed custom malware, MirrorStealer, to steal stored credentials from various applications and abused VSSAdmin to dump sensitive system files from Active Directory servers.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

After gaining domain admin privileges, they deployed backdoors to facilitate lateral movement and data exfiltration, which was achieved through both backdoor channels and direct file transfers over RDP sessions.

 Execution flow of GOSICLOADER

By employing a multi-pronged approach in their recent campaign, it leverages a combination of Cobalt Strike, LODEINFO, and the novel NOOPDOOR backdoor.

Cobalt Strike, likely a cracked version, was deployed via GOSICLOADER, a Go-based shellcode loader. 

LODEINFO, a long-standing tool for Earth Kasha, underwent significant updates, including new backdoor commands and a refined execution mechanism involving DLL side-loading and digital signature abuse. 

The emergence of LODEINFOLDR Type 2, similar to the loader used in the LiberalFace campaign, suggests a potential connection between the two incidents.

 Watermark and its hash in CSAgent

The NOOPLDR is a backdoor delivered via two distinct loaders: an XML/C# loader executed by MSBuild and a DLL loader leveraging DLL Side-Loading. Both loaders employ similar decryption and persistence techniques, utilizing device ID-based encryption. 

The XML/C# loader stores the encrypted payload in the registry for persistence, while the DLL loader uses a combination of file-based and registry-based persistence. 

Both loaders inject the decrypted payload into legitimate processes, while the DLL loader adds an extra layer of obfuscation with control flow obfuscation and junk code.

 Example of NOOPLDR

NOOPDOOR, a sophisticated backdoor, operates in active and passive modes, where in active mode, it polls a daily-changing C&C server using a DGA, while in passive mode, it listens on port 47000 for incoming commands. 

It supports various built-in functions and can load additional modules, enabling diverse malicious activities by leveraging HTTP proxies, firewall manipulation, and file-based module storage for persistence and stealth.

DGA generation using “word” as the placeholder

Earth Kasha, a state-sponsored actor, is leveraging spear-phishing and exploiting public-facing applications to compromise targets by deploying malware like MirrorStealer to steal credentials from browsers, email clients, and servers. 

Post-exploitation, they abuse scheduled tasks for persistence and use LOLBins for lateral movement. Overlaps in TTPs with other APT10-linked groups suggest resource sharing or potential 0-day vulnerability sharing within the ecosystem.

It is a China-nexus threat actor and has recently launched a new campaign leveraging updated LODEINFO malware, which shares significant similarities with previous LODEINFO and A41APT operations.

TrendMicro’s analysis indicates a broader trend of China-nexus groups potentially cooperating, sharing 0-day vulnerabilities, and utilizing sophisticated tactics to evade detection.

Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...