The Earth Krahang APT group has been found using a lesser-known RESHELL backdoor, alongside the XDealer backdoor, to infect organizations across the globe. The malware are dropped via spear-phishing emails related to geopolitical affairs.
Modus operandi
As part of the campaign, the attackers use compromised email addresses to send malicious attachments to users in the same organization.
- The emails are sent under the pretext of geopolitical topics, such as "Malaysian Ministry of Defense Circular," "ICJ public hearings- Guyana vs. Venezuela," or "Malaysian defense minister visits Hungary," to lure users.
- The malicious attachment includes a RAR archive containing an LNK file that executes the installers for backdoor malware onto the victims' system.
- In some cases, the backdoors were found being delivered via web shell on compromised servers.
- Researchers highlighted that the threat actor compromised a government web server and leveraged it to scan vulnerabilities in other government targets.
Targeted victims
- So far, seventy organizations spread across 23 countries have been targeted in the campaign.
- A majority of these organizations are in the government sector, with maximum targets aimed at foreign affairs ministries.
- Other impacted organizations belong to the education, telecommunications, logistics, finance, healthcare, and manufacturing sectors.
Connections with Earth Lusca
- Based on the IP address and domain names (such as googledata[.]com) used in the campaign, Trend Micro speculates a strong link between Earth Krahang and Earth Lusca.
- Moreover, the attackers were found targeting a similar range of victims to achieve their goals.
Conclusion
Given the importance of Earth Krahang’s targets and its preference for using compromised email accounts, organizations are advised to adhere to security best practices. This includes educating employees on how to identify phishing activity. Moreover, they can leverage IOCs attached to the campaign to understand the attack pattern and implement the required measures.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/46bc_shutterstock_680075185.jpg)
