New research has disclosed that APT group Earth Aughisky launched non-stop espionage attacks against users in Taiwan, and, more recently, Japan. Active for over a decade now, it kept enhancing its toolsets and malware capabilities. (Aughiskies are vicious aquatic predators that use guile in order to feed on humanoids, their favorite prey.)

Use of malicious tools

According to Trend Micro, the Earth Aughisky group abuses genuine accounts, software, apps, and other weaknesses inside the network design and infrastructure.
  • The threat group primarily targets Taiwan, however victimology patterns since 2017 displayed a focus on Japan as well.
  • The most targeted industries are healthcare, telecom, technology, transportation, manufacturing, and government.

The security firm linked the activities of Earth Aughisky to another APT known as Pitty Tiger (aka APT24) due to the use of the same dropper in different attacks that happened between April and August 2014.

Leveraging updated toolset 

The attack chain used by the group generally uses spear-phishing as an initial vector
  • One of the most used malware among its tools is a remote access trojan Taidoor.
  • The group has been linked to different malware families, such as K4RAT, GrubbyRAT, Serkdes, Taikite, Taleret, and LuckDLL, as part of its efforts to regularly update its toolset to stay hidden.
  • Some of the additional backdoors used by the group over the years include SiyBot (a basic backdoor), TWTRAT (abuses Twitter's feature for C2), and DropNetClient (uses Dropbox API for C2).

Concluding notes

Earth Aughisky group has been active for a decade, and the recent shift in targets points towards its strategic goals. Also, it is actively updating and revamping its malware toolset and infrastructure. Organizations should stay alert and leverage a threat intelligence platform that caters to your need.
Cyware Publisher