Cybersecurity researchers at Trend Micro have recently uncovered a disturbing trend in the activities of APT actor Earth Baku, known for its initial focus on the Indo-Pacific region. The group has significantly expanded its operations since late 2022, with a particular emphasis on Europe, the Middle East, and Africa (MEA).
Earth Baku’s increased presence in countries such as Italy, Germany, UAE, and Qatar has raised concerns among security experts. According to Trend Micro’s findings, the group has been using customized tools to establish persistence and steal sensitive data from targeted organizations.
One of the most alarming aspects of Earth Baku’s operations is its utilization of public-facing applications like Internet Information Services (IIS) servers as entry points for cyber attacks. After gaining access, the group deploys a sophisticated arsenal of malware, including StealthVector and StealthReacher loaders, as well as the modular SneakCross backdoor.
Furthermore, researchers have observed connections to Earth Baku’s infrastructure through Georgia, as well as numerous malware downloads originating from Romania. These findings suggest that Earth Baku’s cyber operations have reached a new level of sophistication and global reach.
The sectors targeted by Earth Baku include Government, Media and Communications, Telecom, Technology, Healthcare, and Education. The group’s tactics highlight the importance of cybersecurity measures for organizations operating in these industries.
The use of IIS servers as an initial entry point underscores Earth Baku’s evolving MO. By deploying loaders like StealthVector and StealthReacher, the group can bypass security features and establish a foothold within the target network. SneakCross, a newly developed backdoor, further enhances Earth Baku’s capabilities for data exfiltration and command-and-control communication.
Earth Baku’s post-exploitation techniques involve a wide range of backdoor functionalities, including Shell Operations, File System Operations, Process Operations, and Keylogger. The group’s use of advanced evasion strategies and reverse tunneling tools reflects its commitment to maintaining persistent access and extracting valuable data.
To counter the growing threat posed by Earth Baku, cybersecurity experts recommend implementing the principle of least privilege, addressing security gaps, developing proactive incident response strategies, and maintaining multiple backup copies of corporate data. These measures can help organizations mitigate the risks associated with APT actors like Earth Baku.
Overall, Earth Baku’s expansion into new regions and adoption of advanced cyber tactics highlight the need for vigilant cybersecurity practices in today’s digital landscape. By staying informed and implementing robust security measures, organizations can strengthen their defenses against sophisticated threats like Earth Baku.