Cyber Security News

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India, Taiwan, and Japan, leveraging spear-phishing and exploiting vulnerabilities in public-facing applications like SSL-VPN and file storage services. 

The group has deployed various backdoors, including Cobalt Strike, LODEINFO, and the newly discovered NOOPDOOR, to maintain persistent access to compromised networks, which pose a significant threat to organizations in the targeted regions, particularly those in advanced technology and government sectors. 

overview of relationships of Earth Kasha

It initially compromised systems using legitimate Microsoft tools to gather system information and domain credentials, then employed custom malware, MirrorStealer, to steal stored credentials from various applications and abused VSSAdmin to dump sensitive system files from Active Directory servers.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

After gaining domain admin privileges, they deployed backdoors to facilitate lateral movement and data exfiltration, which was achieved through both backdoor channels and direct file transfers over RDP sessions.

Execution flow of GOSICLOADER

By employing a multi-pronged approach in their recent campaign, it leverages a combination of Cobalt Strike, LODEINFO, and the novel NOOPDOOR backdoor.

Cobalt Strike, likely a cracked version, was deployed via GOSICLOADER, a Go-based shellcode loader. 

LODEINFO, a long-standing tool for Earth Kasha, underwent significant updates, including new backdoor commands and a refined execution mechanism involving DLL side-loading and digital signature abuse. 

The emergence of LODEINFOLDR Type 2, similar to the loader used in the LiberalFace campaign, suggests a potential connection between the two incidents.

Watermark and its hash in CSAgent

The NOOPLDR is a backdoor delivered via two distinct loaders: an XML/C# loader executed by MSBuild and a DLL loader leveraging DLL Side-Loading. Both loaders employ similar decryption and persistence techniques, utilizing device ID-based encryption. 

The XML/C# loader stores the encrypted payload in the registry for persistence, while the DLL loader uses a combination of file-based and registry-based persistence. 

Both loaders inject the decrypted payload into legitimate processes, while the DLL loader adds an extra layer of obfuscation with control flow obfuscation and junk code.

Example of NOOPLDR

NOOPDOOR, a sophisticated backdoor, operates in active and passive modes, where in active mode, it polls a daily-changing C&C server using a DGA, while in passive mode, it listens on port 47000 for incoming commands. 

It supports various built-in functions and can load additional modules, enabling diverse malicious activities by leveraging HTTP proxies, firewall manipulation, and file-based module storage for persistence and stealth.

DGA generation using “word” as the placeholder

Earth Kasha, a state-sponsored actor, is leveraging spear-phishing and exploiting public-facing applications to compromise targets by deploying malware like MirrorStealer to steal credentials from browsers, email clients, and servers. 

Post-exploitation, they abuse scheduled tasks for persistence and use LOLBins for lateral movement. Overlaps in TTPs with other APT10-linked groups suggest resource sharing or potential 0-day vulnerability sharing within the ecosystem.

It is a China-nexus threat actor and has recently launched a new campaign leveraging updated LODEINFO malware, which shares significant similarities with previous LODEINFO and A41APT operations.

TrendMicro’s analysis indicates a broader trend of China-nexus groups potentially cooperating, sharing 0-day vulnerabilities, and utilizing sophisticated tactics to evade detection.

Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free

Aman Mishra

Recent Posts

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

16 hours ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

16 hours ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

17 hours ago

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…

17 hours ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

17 hours ago

DigiEver IoT Devices Exploited To Deliver Mirai-based Malware

A new Mirai-based botnet, "Hail Cock Botnet," has been exploiting vulnerable IoT devices, including DigiEver…

17 hours ago