China-Backed Earth Baku Expands Cyber ​​Attacks Across Europe, Middle East, Africa

August 14, 2024Ravi LakshmananThreat Intelligence / Cyber ​​Attacks

The Chinese-backed security entity known as Earth Baku has diversified its attack reach beyond the Indo-Pacific region and will include Europe, the Middle East, and Africa by late 2022.

Newly selected countries in this activity include Italy, Germany, the UAE, and Qatar, while suspected attacks have also been detected in Georgia and Romania. Governments, media and communications, telecommunications, technology, healthcare, and education are some of the sectors highlighted as part of the intrusion set.

“In recent campaigns, the group has updated its tools, tactics, and procedures (TTPs) to leverage public applications such as IIS servers as entry points for attacks, then deploy advanced malware toolkits to the victim environment,” Trend Micro researchers Ted Lee and Theo Chen said in an analysis published last week.

The findings build on recent reports from Zscaler and Google-owned Mandiant, which also detail the threat actor’s use of malware families like DodgeBox (also known as DUSTPAN) and MoonWalk (also known as DUSTTRAP). Trend Micro has named them StealthReacher and SneakCross.

Earth Baku, a threat entity associated with APT41, is known to be exploiting StealthVector since October 2020. Attack chains involve exploiting publicly available applications to download a Godzilla web shell, which is then used to deliver subsequent payloads.

StealthReacher has been classified as an enhanced version of the StealthVector backdoor, which is responsible for running SneakCross, a modular implant and likely successor to ScrambleCross that uses Google services for command-and-control (C2) communications.

The attacks are also characterized by the use of other post-exploitation tools, such as iox, Rakshasa, and a virtual private network (VPN) service known as Tailscale. Exfiltration of sensitive data to the MEGA cloud storage service is accomplished using a command-line tool called MEGAcmd.

“The group has adopted new bootloaders such as StealthVector and StealthReacher to silently launch backdoor components, and has added SneakCross as its latest modular backdoor,” the researchers said.

“Earth Baku also used several tools during its post-exploitation exploitation, including a customized iox tool, Rakshasa, TailScale for persistence, and MEGAcmd for efficient data exfiltration.”