A cyber-espionage campaign known as Earth Krahang APT [1] [3], attributed to a China-linked threat actor, has been uncovered by researchers at Trend Micro. This campaign targets government organizations in 23 countries across Asia, America [4], Europe [4], and Africa [4].
Description
This sophisticated campaign, active since early 2022 [4], exploits public-facing servers [4], sends spear-phishing emails with backdoors [4], and leverages compromised government infrastructure to host malicious payloads [3] [4], proxy attack traffic [4], and steal victim emails [4]. Earth Krahang uses open-source scanning tools and exploits vulnerabilities like CVE-2023-32315 and CVE-2022-21587 to deploy webshells on target servers [4]. Additionally, the group conducts brute force attacks on Exchange servers to gain access [4]. Malware like Cobalt Strike [3] [4], RESHELL [4], and XDealer are deployed by the attackers. Connections have been identified between Earth Krahang and the Chinese company I-Soon, with the group possibly organized into subgroups like Earth Krahang. The campaign has targeted government entities in 35 countries, compromising 70 organizations, with a focus on foreign affairs ministries [2]. Tactics include using compromised government infrastructure for attacks [3], hosting malicious payloads [3] [4], and spear-phishing [3] [4]. Earth Krahang also steals email addresses and uses backdoors like Cobalt Strike and custom malware for attacks [3]. Overlaps were found with Earth Lusca in infrastructure and malware communication [3].
Conclusion
The Earth Krahang APT campaign poses a significant threat to government organizations worldwide. Mitigations such as patching vulnerabilities, implementing strong email security measures, and monitoring network traffic are crucial to defend against such attacks. The implications of this campaign highlight the importance of cybersecurity vigilance and collaboration among nations to combat cyber threats effectively.
References
[1] https://techkranti.com/19-mar-24-in-security-news-today/
[2] https://thecyberwire.com/newsletters/daily-briefing/13/54
[3] https://www.infosecurity-magazine.com/news/chinese-campaign-targets-100/
[4] https://securityaffairs.com/160702/apt/earth-krahang-apt.html