A suspected superior persistent risk (APT) originating from China focused a authorities group in Taiwan, and probably different international locations within the Asia-Pacific (APAC) area, by exploiting a not too long ago patched vital safety flaw impacting OSGeo GeoServer GeoTools.
The intrusion exercise, which was detected by Pattern Micro in July 2024, has been attributed to a risk actor dubbed Earth Baxia.
“Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand,” researchers Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, and Philip Chen stated.
The invention of lure paperwork in Simplified Chinese language factors to China being one of many affected international locations as nicely, though the cybersecurity firm stated it doesn’t have sufficient data to find out what sectors inside the nation have been singled out.
The multi-stage an infection chain course of leverages two completely different methods, utilizing spear-phishing emails and the exploitation of the GeoServer flaw (CVE-2024-36401, CVSS rating: 9.8), to finally ship Cobalt Strike and a beforehand unknown backdoor codenamed EAGLEDOOR, which permits for data gathering and payload supply.
“The risk actor employs GrimResource and AppDomainManager injection to deploy extra payloads, aiming to decrease the sufferer’s guard,” the researchers famous, including the previous methodology is used to obtain next-stage malware through a decoy MSC file dubbed RIPCOY embedded inside a ZIP archive attachment.
It is value mentioning right here that Japanese cybersecurity firm NTT Safety Holdings not too long ago detailed an exercise cluster with hyperlinks to APT41 that it stated used the identical two methods to focus on Taiwan, the Philippines army, and Vietnamese power organizations.
It is probably that these two intrusion units are associated, given the overlapping use of Cobalt Strike command-and-control (C2) domains that mimic Amazon Internet Providers, Microsoft Azure (e.g., “s3cloud-azure,” “s2cloud-amazon,” “s3bucket-azure,” and “s3cloud-azure”), and Pattern Micro itself (“trendmicrotech”).
The top purpose of the assaults is to deploy a customized variant of Cobalt Strike, which acts as a launchpad for the EAGLEDOOR backdoor (“Eagle.dll”) through DLL side-loading.
The malware helps 4 strategies to speak with the C2 server over DNS, HTTP, TCP, and Telegram. Whereas the primary three protocols are used to transmit the sufferer standing, the core performance is realized by the Telegram Bot API to add and obtain recordsdata, and execute extra payloads. The harvested information is exfiltrated through curl.exe.
“Earth Baxia, likely based in China, conducted a sophisticated campaign targeting government and energy sectors in multiple APAC countries,” the researchers identified.
“They used advanced techniques like GeoServer exploitation, spear-phishing, and customized malware (Cobalt Strike and EAGLEDOOR) to infiltrate and exfiltrate data. The use of public cloud services for hosting malicious files and the multi-protocol support of EAGLEDOOR highlight the complexity and adaptability of their operations.”
