Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India, Taiwan, and Japan, leveraging spear-phishing and exploiting vulnerabilities in public-facing applications like SSL-VPN and file storage services. 

The group has deployed various backdoors, including Cobalt Strike, LODEINFO, and the newly discovered NOOPDOOR, to maintain persistent access to compromised networks, which pose a significant threat to organizations in the targeted regions, particularly those in advanced technology and government sectors. 

It initially compromised systems using legitimate Microsoft tools to gather system information and domain credentials, then employed custom malware, MirrorStealer, to steal stored credentials from various applications and abused VSSAdmin to dump sensitive system files from Active Directory servers.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

After gaining domain admin privileges, they deployed backdoors to facilitate lateral movement and data exfiltration, which was achieved through both backdoor channels and direct file transfers over RDP sessions.

By employing a multi-pronged approach in their recent campaign, it leverages a combination of Cobalt Strike, LODEINFO, and the novel NOOPDOOR backdoor.

Cobalt Strike, likely a cracked version, was deployed via GOSICLOADER, a Go-based shellcode loader. 

LODEINFO, a long-standing tool for Earth Kasha, underwent significant updates, including new backdoor commands and a refined execution mechanism involving DLL side-loading and digital signature abuse. 

The emergence of LODEINFOLDR Type 2, similar to the loader used in the LiberalFace campaign, suggests a potential connection between the two incidents.

The NOOPLDR is a backdoor delivered via two distinct loaders: an XML/C# loader executed by MSBuild and a DLL loader leveraging DLL Side-Loading. Both loaders employ similar decryption and persistence techniques, utilizing device ID-based encryption. 

The XML/C# loader stores the encrypted payload in the registry for persistence, while the DLL loader uses a combination of file-based and registry-based persistence. 

Both loaders inject the decrypted payload into legitimate processes, while the DLL loader adds an extra layer of obfuscation with control flow obfuscation and junk code.

NOOPDOOR, a sophisticated backdoor, operates in active and passive modes, where in active mode, it polls a daily-changing C&C server using a DGA, while in passive mode, it listens on port 47000 for incoming commands. 

It supports various built-in functions and can load additional modules, enabling diverse malicious activities by leveraging HTTP proxies, firewall manipulation, and file-based module storage for persistence and stealth.

Earth Kasha, a state-sponsored actor, is leveraging spear-phishing and exploiting public-facing applications to compromise targets by deploying malware like MirrorStealer to steal credentials from browsers, email clients, and servers. 

Post-exploitation, they abuse scheduled tasks for persistence and use LOLBins for lateral movement. Overlaps in TTPs with other APT10-linked groups suggest resource sharing or potential 0-day vulnerability sharing within the ecosystem.

It is a China-nexus threat actor and has recently launched a new campaign leveraging updated LODEINFO malware, which shares significant similarities with previous LODEINFO and A41APT operations.

TrendMicro’s analysis indicates a broader trend of China-nexus groups potentially cooperating, sharing 0-day vulnerabilities, and utilizing sophisticated tactics to evade detection.

Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free