Saturday, December 7, 2024
HomeCyber AttackEarth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Published on

SIEM as a Service

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India, Taiwan, and Japan, leveraging spear-phishing and exploiting vulnerabilities in public-facing applications like SSL-VPN and file storage services. 

The group has deployed various backdoors, including Cobalt Strike, LODEINFO, and the newly discovered NOOPDOOR, to maintain persistent access to compromised networks, which pose a significant threat to organizations in the targeted regions, particularly those in advanced technology and government sectors. 

 overview of relationships of Earth Kasha

It initially compromised systems using legitimate Microsoft tools to gather system information and domain credentials, then employed custom malware, MirrorStealer, to steal stored credentials from various applications and abused VSSAdmin to dump sensitive system files from Active Directory servers.

- Advertisement - SIEM as a Service

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

After gaining domain admin privileges, they deployed backdoors to facilitate lateral movement and data exfiltration, which was achieved through both backdoor channels and direct file transfers over RDP sessions.

 Execution flow of GOSICLOADER

By employing a multi-pronged approach in their recent campaign, it leverages a combination of Cobalt Strike, LODEINFO, and the novel NOOPDOOR backdoor.

Cobalt Strike, likely a cracked version, was deployed via GOSICLOADER, a Go-based shellcode loader. 

LODEINFO, a long-standing tool for Earth Kasha, underwent significant updates, including new backdoor commands and a refined execution mechanism involving DLL side-loading and digital signature abuse. 

The emergence of LODEINFOLDR Type 2, similar to the loader used in the LiberalFace campaign, suggests a potential connection between the two incidents.

 Watermark and its hash in CSAgent

The NOOPLDR is a backdoor delivered via two distinct loaders: an XML/C# loader executed by MSBuild and a DLL loader leveraging DLL Side-Loading. Both loaders employ similar decryption and persistence techniques, utilizing device ID-based encryption. 

The XML/C# loader stores the encrypted payload in the registry for persistence, while the DLL loader uses a combination of file-based and registry-based persistence. 

Both loaders inject the decrypted payload into legitimate processes, while the DLL loader adds an extra layer of obfuscation with control flow obfuscation and junk code.

 Example of NOOPLDR

NOOPDOOR, a sophisticated backdoor, operates in active and passive modes, where in active mode, it polls a daily-changing C&C server using a DGA, while in passive mode, it listens on port 47000 for incoming commands. 

It supports various built-in functions and can load additional modules, enabling diverse malicious activities by leveraging HTTP proxies, firewall manipulation, and file-based module storage for persistence and stealth.

DGA generation using “word” as the placeholder

Earth Kasha, a state-sponsored actor, is leveraging spear-phishing and exploiting public-facing applications to compromise targets by deploying malware like MirrorStealer to steal credentials from browsers, email clients, and servers. 

Post-exploitation, they abuse scheduled tasks for persistence and use LOLBins for lateral movement. Overlaps in TTPs with other APT10-linked groups suggest resource sharing or potential 0-day vulnerability sharing within the ecosystem.

It is a China-nexus threat actor and has recently launched a new campaign leveraging updated LODEINFO malware, which shares significant similarities with previous LODEINFO and A41APT operations.

TrendMicro’s analysis indicates a broader trend of China-nexus groups potentially cooperating, sharing 0-day vulnerabilities, and utilizing sophisticated tactics to evade detection.

Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...