Trend Micro has uncovered a cyberespionage campaign by Earth Baku, or APT41, against organizations in the Indo-Pacific region. The campaign has been continuing since July 2020.

Attack vectors in the campaign

The ongoing campaign by Earth Baku employs multiple attack vectors to target attacks on public and private entities working in certain industries that are based in the Indo-Pacific region. 
  • New malware tools were carefully crafted as per various exploits and the infrastructure of targeted organizations.
  • It uses attack vectors such as SQL injection, installer tool InstallUtil[.]exe in a scheduled task, a malicious link (LNK) file in email attachment, and exploits of the ProxyLogon vulnerability (CVE-2021-26855) to upload a web shell of China Chopper.
  • The group used previously unknown shellcode loaders, now known as StealthVector and StealthMutant, along with a backdoor identified as ScrambleCross.
  • So far, the targeted countries are Vietnam, India, Malaysia, Taiwan, the Philippines, and Indonesia. 

Previous relations

Earth Baku’s recent activities were linked with previous campaigns active since November 2018.
  • The older campaign used a different shellcode loader, which was named as LavagokLdr.
  • Researchers discovered similar codes and techniques between now used StealthVector and LavagokLdr. Both perform a similar method for decryption and signature checking.

Conclusion

The recent finding regarding Earth Baku hints that the APT group may have hired new experts in software development and low-level programming, along with red-team methods. The group could be planning more campaigns in the near future in Indo-Pacific countries.

Cyware Publisher

Publisher

Cyware