An analysis by Trend Micro indicates that the cyber espionage group Earth Baxia has been attempting to target government agencies in Taiwan, as well as potentially other countries in the Asia-Pacific (APAC) region, through spear-phishing campaigns and exploitation of a critical GeoServer vulnerability known as CVE-2024-36401, a critical security vulnerability.
It is part of an ongoing campaign intended to infiltrate key sectors of society, including one of the most vital sectors of the economy: telecommunications, energy, and government.
There are several vulnerabilities within GeoServer, an open-source platform for sharing geospatial data, which may allow hackers to execute remote code through an exploit known as CVE-2024-36401.
Earth Baxia could exploit this vulnerability by downloading malicious components directly into the victim environment, using tools such as "curl" and "scp" to cast harmful files, including customized Cobalt Strike beacons, and other payloads directly into the victim's environment.
By deploying these payloads, attackers were able to execute arbitrary commands inside compromised systems, which gave them a foothold within those compromised environments.
The Earth Baxia threat actor used a wide range of technologies to break into several countries in the Asia-Pacific region, targeting government organizations, telecommunications companies, and the energy industry. During the attack, the group employed sophisticated techniques, like spear-phishing emails and exploiting a GeoServer vulnerability (CVE-2024-36401) to achieve their goal.
The attackers deployed custom Cobalt Strike components as well as a new backdoor, called EAGLEDOOR, on computers that were compromised. Multiple communication protocols can be used to gather information and deliver payloads for EAGLEDOOR. To be able to track these attackers, they utilized public cloud services to host the malicious files.
It was also possible to deploy additional payloads via methods such as GrimResource injection and AppDomainManager injection, which were utilized by them. Among the countries that were affected by this campaign are Taiwan, the Philippines, South Korea, Vietnam, Thailand, and possibly China as well.
The subject lines in most of the emails are meticulously tailored with varying content, and the attachment ZIP file contains a decoy MSC file called RIPCOY which is used as a decoy file in the email subject lines.
By double-clicking this file, the embedded obfuscated VBScript will attempt to download multiple files from a public cloud service, typically Amazon Web Services via a mechanism called GrimResource, which extracts the data from the cloud service in the best way possible. In addition to the decoy PDF document, there are also .NET applications and a configuration file included in this pack.
As a result of being dropped by the MSC file, .NET applications and configuration files became vulnerable to malicious injection as a result of using a technique known as AppDomainManager injection. This allows the injection of a custom application domain within the target application process so that it can run arbitrary code.
It's a mechanism that provides the ability for any .NET application to load an arbitrarily managed DLL on its own, either locally or remotely, without directly invoking any Windows API calls, and it can be used in any scenario.
The next-stage downloader is downloaded by legit .NET applications based on a URL specified in the application configuration file (.config), which points to a file that includes a .NET DLL.
To encrypt the URL of this download, it has been encrypted in Base64 with AES obfuscation. During this stage, most of the download sites available for downloading through public cloud services, usually Aliyun were considered to be hosting websites. After retrieving the shellcode from the DLL, it executes it using the CreateThread API, with all processes being executed in the DLL being run entirely in memory at the same time.
Vision One Threat Intelligence from Trend Micro provides the following features:
Keeping pace with emerging threats is Trend Micro customers' number one priority, which is why Trend Micro Vision One users have access to a range of Intelligence Reports and Threat Insights. With Threat Insights, customers will be able to stay on top of cyber threats long before they happen and be more prepared when new cyber threats emerge. This report contains comprehensive information about threat actors, their malicious activities, and the techniques that they employ to harm users.
Using this intelligence as a basis for proactive measures, customers can reduce their risks and ensure that they respond effectively to threats by taking proactive steps to protect their environment.
In the context of various countries in the Asian Pacific region, Earth Baxia is likely to be based in China and carry out sophisticated campaigns targeting the government and energy sectors.
To infiltrate and exfiltrate data, they employ advanced tactics such as GeoServer exploitation, spear-phishing, customized malware (Cobalt Strike and EAGLEDOOR), and a combination of these. Even though EAGLEDOOR uses public cloud services for hosting malicious files and supports a wide range of protocols, their operations are complex and highly adaptable as a result.
Continuous vigilance and sophisticated threat detection measures are essential for such threats to be dealt with effectively.
To mitigate the risks associated with such threats, security teams are advised to implement several best practices. One critical measure is the implementation of continuous phishing awareness training for all employees. This ensures that staff remain informed about evolving phishing techniques and are better equipped to identify and respond to malicious attempts.
Additionally, employees should be encouraged to thoroughly verify the sender and subject of any emails, especially those originating from unfamiliar sources or containing ambiguous subject lines. This practice helps in identifying potentially harmful communications before they lead to further complications.
It is equally important to deploy multi-layered protection solutions, which serve to detect and block threats early in the malware infection chain. Such solutions enhance the organization’s overall security posture by providing multiple defences, significantly reducing the likelihood of a successful attack.
