Chinese APT Hackers Earth Krahang Exploits Government Exchange Servers


A new Advanced Persistent Threat (APT) campaign, dubbed Earth Krahang, has emerged with a focus on infiltrating government entities across the globe.

This campaign, active since early 2022, has been linked to a China-nexus threat actor, previously identified as Earth Lusca. Despite similarities, Earth Krahang operates with distinct infrastructure and employs unique backdoors, suggesting it’s a separate entity.

Document

Free Webinar: Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:


This report delves into Earth Krahang’s tactics, techniques, and procedures (TTPs), shedding light on its operations and their implications for global cybersecurity.

Tactics and Techniques

Earth Krahang’s modus operandi includes exploiting vulnerabilities in public-facing servers and utilizing spear-phishing emails to deliver novel backdoors.

The campaign has shown a penchant for commandeering government infrastructure to launch further attacks, leveraging this access to host malicious payloads and facilitate cyber espionage.

Chinese APT Hackers Earth Krahang Exploits Government Exchange Servers
Infection chain of an Earth Krahang’s spear-phishing attack 

Notably, Earth Krahang has exploited vulnerabilities such as CVE-2023-32315 and CVE-2022-21587 to gain unauthorized access and deploy malware.

Spear-phishing remains a critical vector for Earth Krahang. Emails crafted to entice targets into executing malicious files are often crafted using geopolitical themes, indicating a strategic choice of lures.

 Earth Krahang conducts brute force attacks on Exchange servers via Outlook on the web, vulnerability scanning to find web server vulnerabilities, and injecting backdoors.

According to Trend Micro report, The campaign’s reconnaissance efforts are thorough, with an extensive collection of email addresses from targeted entities to maximize the reach of their phishing attempts.

Exploitation and Post-Exploitation

Upon gaining initial access, Earth Krahang employs a variety of tools and techniques to maintain presence and exploit compromised networks.

The use of SoftEther VPN on public-facing servers is a notable tactic, enabling the threat actor to infiltrate victim networks deeply. Post-exploitation activities include enabling remote desktop connections, credential dumping, and lateral movement within networks to access sensitive information.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:


Malware Arsenal

Earth Krahang’s toolkit includes several malware families, with Cobalt Strike, RESHELL, and XDealer being prominent. RESHELL, a simple .NET backdoor, and XDealer, a more sophisticated backdoor with versions for both Windows and Linux, are key to the campaign’s initial foothold in target systems.

The evolution of XDealer, evidenced by various versions identified, indicates active development and customization by the threat actor.

Victimology and Attribution

The campaign has targeted approximately 70 victims across 23 countries, primarily focusing on government organizations. The wide geographic spread of targets underscores Earth Krahang’s global ambitions.

While direct attribution is challenging, connections to the China-nexus threat actor Earth Lusca and potential links to the Chinese company I-Soon suggest a coordinated effort possibly backed by state-sponsored actors.

Earth Krahang represents a sophisticated and persistent cyber threat that clearly focuses on government entities and the exploitation of government infrastructure for cyber espionage. The campaign’s unique malware families and tactics highlights the need for robust cybersecurity defenses and awareness.

Organizations, especially those within government sectors, are advised to adopt stringent security measures, including regular software updates, employee education on social engineering attacks, and implementing multi-factor authentication to mitigate the risk of compromise.

Earth Krahang’s evolving tactics and tools necessitate continuous vigilance and adaptation in cybersecurity strategies to protect sensitive information and infrastructure from these advanced threats.

You can find the complete indicators of Compromise here to keep your systems up to date.

You can learn malware analysis to break down sophisticated malware by enrolling in a Certified Malware Analyst Course online.



Source link