Chinese Hackers Exploiting GeoServer Vulnerability To Deploy EAGLEDOOR Malware


GeoServer is an open-source server written in Java that enables users to share, process, and edit geospatial data.

It supports various data formats and integrates with popular mapping applications like “Google Maps” and “OpenLayers,” which makes it a powerful tool for web mapping and spatial data infrastructure.

EHA

Trend Micro researchers recently discovered that Chinese hackers have been actively exploiting vulnerabilities to deploy EAGLEDOOR malware.

GeoServer Vulnerability EAGLEDOOR Malware

The Chinese-linked APT group “Earth Baxia” targeted government agencies, telecommunications, and energy sectors in “APAC countries,” including ‘Taiwan,’ ‘Philippines,’ ‘South Korea,’ ‘Vietnam,’ and ‘Thailand.’

Meet the CISOs, Join the Virtual Panel to Learn compliance – Join Free

Their attack vector involved ‘spear-phishing emails’ with malicious “MSC files (RIPCOY)” and exploitation of “CVE-2024-36401,” which is a RCE vulnerability in “GeoServer.” 

The infection chain utilized techniques like “AppDomainManager injection” and “GrimResource,” downloading payloads from cloud services (AWS, Aliyun).

Attack chain (Source – Trend Micro)

Earth Baxia deployed “customized Cobalt Strike components,” including a shellcode loader called “SWORDLDR,” and a new backdoor named “EAGLEDOOR.” 

EAGLEDOOR supports multiple communication protocols (DNS, HTTP, TCP, and Telegram), with its loader using DLL side-loading (“Systemsetting.dll” and “Systemsetting.exe”). 

The backdoor’s functionality includes API hooking which is done via “Hook.dll” and core operations that is done via “Eagle.dll.”

Besides this, it leverages the Bot API of Telegram for command and control by using the following methods:-

  • getFile
  • getUpdates
  • sendDocument
  • sendMessage

Here to evade detection and maintain persistence on compromised systems the threat actors used obfuscation techniques like “Base64” and “AES encryption.”

As part of the group’s exfiltration process, the collected information was archived, and the “curl.exe” was used to upload the stolen data into their file server (152.42.243.170). 

In addition, their initial access methods varied, using “MSC” and “LNK” files to deliver malicious toolsets. 

Here the “Static.krislab.site” is one of such site, which was utilized to spread ‘decoy documents’ as well as ‘Cobalt Strike components’ that included “Edge.exe,” “msedge.dll,” “Logs.txt” among others, using power shell commands.

Researchers demonstrated adaptability by leveraging public cloud services to host malicious files and incorporating “multi-protocol” support in EAGLEDOOR, which enhanced its operational complexity.

Recommendations

Here below we have mentioned all the recommendations:-

  • Implement continuous phishing awareness training.
  • Deploy multi-layered protection solutions.
  • Maintain vigilant cybersecurity practices.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial



Source link