Researchers have released a detailed analysis of an active campaign targeting multiple entities in Japan. Dubbed Operation RestyLink or Enelink, the campaign has been ongoing since January 2022, with changes observed in TTPs.
Campaign overview
Earth Yako APT group has been found abusing legitimate services such as Dropbox, GitHub, and Protonmail to expand its campaign to East Asia.
- Trend Micro researchers revealed that Earth Yako uses a spearphishing link for initial access.
- The URL in the mail downloads the compressed or disc image files containing a malicious shortcut file to download another payload.
- The attackers used a wide range of malware and tools such as MirrorKey, PlugBox, PULink, and ShellBox to infect their victims.
Who is the target
- Apart from targeting researchers, academics, and think tanks in Japan, a small number of organizations in Taiwan have also been affected by the attack.
- Earlier in 2022, the group’s primary targets were stakeholders related to economic security, which later expanded to target other sectors, such as energy.
New attributes observed as of January 2023
- Based on the arsenal and TTPs, researchers claim that there are technical overlaps between Earth Yako and multiple threat groups such as DarkHotel, APT10, and APT29.
- While Earth Yako’s method for initial access is similar to that of DarkHotel, it uses the same encryption routine as followed by APT10’s malware families.
- Moreover, the use of ISO and LNK files by Earth Yako resembles the TTPs of APT29.
Conclusion
Researchers highlight that the APT changes its method and tactics based on the significant topics concerning the targeted countries. Moreover, it is found that attackers are primarily targeting organizations with relatively weak security measures. To mitigate risks and impacts, it is recommended to understand the attack patterns of the Earth Yako APT group and implement required countermeasures to thwart these attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/71fb_shutterstock_1062401807_GoDaddy.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/596c_shutterstock_1936992973.jpeg)
