Earth Baku [1] [2] [3] [4] [5] [6], a state-sponsored threat group associated with APT41, has expanded its global operations [5], targeting countries in Europe, the Middle East [1] [3] [4] [5] [6], and Africa [1] [3] [4] [5] [6].
Description
Earth Baku [1] [2] [3] [4] [5] [6], a China-linked APT group [5], has recently expanded its operations globally, targeting countries such as Italy, Germany [2] [3] [5] [6], the UAE [3] [6], and Qatar [2] [3] [5] [6], with suspected attacks in Georgia and Romania [6]. The group has updated its tools and tactics [6], utilizing compromised IIS servers for attacks and deploying sophisticated malware toolsets [6]. Trend Micro researchers have identified the group’s use of malware families like DodgeBox and MoonWalk [6], which they have named StealthReacher and SneakCross [6]. Earth Baku has been using StealthVector since October 2020 [6], dropping the Godzilla web shell to deliver follow-on payloads [6]. StealthReacher [2] [3] [4] [5] [6], an enhanced version of StealthVector [6], launches SneakCross as a modular implant that leverages Google services for command-and-control communication [6]. The group also utilizes post-exploitation tools like Rakshasa [6], iox [1] [4] [6], and Tailscale for persistence [6], and MEGAcmd for data exfiltration [1] [2] [5] [6]. Industries targeted by Earth Baku include media, telecoms [5], technology [4] [5], healthcare [4] [5], and government entities [5].
Conclusion
Organizations are advised to strengthen their defenses [2], update systems [2], enforce patch management policies [2], and maintain backups of corporate data to mitigate the evolving threat posed by Earth Baku. The group’s expanding global reach and sophisticated tactics present challenges for cybersecurity defenses, highlighting the need for continued vigilance and proactive measures to safeguard against future attacks.
References
[1] https://gbhackers.com/earth-baku-custom-tools-data-theft/
[2] https://www.darkreading.com/cyberattacks-data-breaches/apt41-spinoff-expands-chinese-actor-scope-beyond-asia
[3] https://cyberpress.org/earth-baku-unleashes-custom-tools/
[4] https://www.scmagazine.com/brief/expanded-attacks-by-earth-baku-detailed
[5] https://securityaffairs.com/167044/apt/earth-baku-expanded-operations.html
[6] https://thehackernews.com/2024/08/china-backed-earth-baku-expands-cyber.html
