Earth Kasha, a threat actor connected to APT10, has been identified as expanding its targeting efforts to include India, Taiwan, and Japan, with a particular focus on leveraging spear-phishing methods and exploiting vulnerabilities in public-facing applications such as SSL-VPN and file storage services.
The group, known for utilizing various backdoors including Cobalt Strike, LODEINFO, and the recently discovered NOOPDOOR, has been aiming to persistently access compromised networks, posing a significant threat to organizations within the targeted regions, especially those operating in advanced technology and government sectors.
Initially, Earth Kasha compromised systems through the use of legitimate Microsoft tools to gather system information and domain credentials, proceeded by employing custom malware known as MirrorStealer to pilfer stored credentials from multiple applications, along with exploiting VSSAdmin to dump sensitive system files from Active Directory servers.
Upon acquiring domain admin privileges, the threat actor proceeded to deploy backdoors to enable lateral movement and data exfiltration, utilizing both backdoor channels and direct file transfers over RDP sessions to achieve their objectives.
In a recent campaign, Earth Kasha employed a multi-faceted approach combining Cobalt Strike, LODEINFO, and the novel NOOPDOOR backdoor. Cobalt Strike, likely a pirated version, was distributed via GOSICLOADER, a Go-based shellcode loader. LODEINFO, a tool previously associated with Earth Kasha, underwent significant updates, introducing new backdoor commands and refining its execution mechanism through DLL side-loading and digital signature abuse. The emergence of LODEINFOLDR Type 2, reminiscent of the loader used in the LiberalFace campaign, hinted at a potential connection between the two incidents.
The NOOPLDR backdoor was delivered through two distinct loaders—a XML/C# loader executed by MSBuild and a DLL loader leveraging DLL Side-Loading. Both loaders employed similar decryption and persistence techniques, utilizing device ID-based encryption. The XML/C# loader persisted the encrypted payload in the registry, whereas the DLL loader utilized a combination of file-based and registry-based persistence methods. Injecting the decrypted payload into legitimate processes, both loaders added an extra layer of obfuscation, with the DLL loader incorporating control flow obfuscation and junk code.
NOOPDOOR, a sophisticated backdoor, operated in both active and passive modes, with the active mode involving a DGA-based polling of a daily-changing C&C server, while the passive mode listened on port 47000 for incoming commands. Supporting various built-in functions and the ability to load additional modules, NOOPDOOR enabled a range of malicious activities including leveraging HTTP proxies, manipulating firewalls, and employing file-based module storage for persistence and stealth.
Earth Kasha, identified as a state-sponsored actor, was found to be leveraging spear-phishing tactics and exploiting public-facing applications, deploying malware like MirrorStealer to steal credentials from browsers, email clients, and servers. Exploiting scheduled tasks for persistence and utilizing LOLBins for lateral movement post-exploitation, the threat actor displayed overlaps in TTPs with other APT10-linked groups, indicating potential resource sharing or sharing of 0-day vulnerabilities within the ecosystem.
As a China-based threat actor, Earth Kasha initiated a new campaign recently, utilizing updated LODEINFO malware which shared significant similarities with previous LODEINFO and A41APT operations. TrendMicro’s analysis highlighted a broader trend among China-based groups potentially collaborating, sharing 0-day vulnerabilities, and employing sophisticated tactics to avoid detection.