Earth Baku, a name that first surfaced in cybersecurity circles in 2021, has re-emerged with a more menacing profile, expanding its nefarious activities across Europe, the Middle East, and Africa (MEA) in countries like Italy, Germany, the United Arab Emirates (UAE), and Qatar with traced connections in Georgia and Romania.
This advanced persistent threat (APT) group has targeted critical sectors, including government, media and communications, telecom, technology, healthcare, and education.
Researchers observed that Earth Baku’s recent campaigns have markedly evolved in tactics, techniques, and procedures (TTPs). One key strategy involves exploiting vulnerabilities in public-facing applications, particularly Internet Information Services (IIS) servers.
By targeting these accessible entry points, Earth Baku can swiftly establish a foothold within the victim’s environment.
Once inside, the group deploys the Godzilla web shell, a powerful tool that allows attackers to maintain persistent control over compromised servers. Godzilla serves as a launchpad for further malicious activities, including deploying shellcode loaders like StealthVector and StealthReacher and introducing the modular backdoor SneakCross.
This multi-stage attack approach enhances the group’s ability to stay undetected and allows them to execute complex operations precisely.
The StealthVector loader was first identified in 2021 and has undergone subtle yet impactful modifications. The 2024 iteration now employs AES encryption instead of the previously used ChaCha20, enhancing its ability to evade detection.
Additionally, the new version incorporated a code virtualiser for obfuscation, making it increasingly challenging for cybersecurity analysts to dissect and understand its inner workings.
StealthVector also uses advanced techniques, such as Event Tracing for Windows (ETW) and Control Flow Guard (CFG) disabling, along with DLL hollowing, which involves injecting malicious code into legitimate system files to avoid detection.
Researchers describe StealthReacher as an enhanced variant of SteaalthVector. Also known as DodgeBox, it is designed to launch Earth Baku’s latest backdoor, SneakCross. It uses similar AES encryption but introduces additional obfuscation techniques, such as the FNV-1a hash function and MD5 hashing for checksums.
The loader also re-encrypts itself upon initiation, using the victim’s computer name as the key, further complicating forensic analysis.
“It’s noting that both StealthVector and StealthReacher will perform re-encryption after the first initiation via XOR encryption, with the key being the victim’s computer name. From a digital forensics aspect, it is challenging to decrypt and analyse the collected payload even though all the components (loader and payload) were collected at the same time,” researchers said.
Perhaps the most concerning addition to Earth Baku’s arsenal, SneakCross is a modular backdoor designed for flexibility and stealth. It utilises Google services for its command and control (C2) communications, exploiting legitimate infrastructure to avoid detection.
Researchers observed that SneakCross is built with a modular design, which allows it to be easily updated and customised with various plugins. These plugins enable various malicious activities, from keylogging and file manipulation to advanced network probing and Active Directory operations.
Its use of Windows Fibers further enhances its ability to evade network protection products and endpoint detection and response (EDR) solutions.
After gaining control over a target, Earth Baku employs various tools to maintain persistence, escalate privileges, and exfiltrate valuable data. The group’s approach to post-exploitation is methodological and adaptive, using tools designed to blend in with legitimate network traffic while executing malicious objectives.
The group has been observed using a customised version of the iox tunnelling tool, which allows them to establish reverse tunnels and maintain persistent access to compromised systems.
This tool has been modified from its public source code, with the attackers adding unique arguments to streamline its operation. The group also uses Rakshasa, a powerful proxy tool in Go designed for multi-level proxying and internal network penetration.
Additionally, they have been incorporating Tailscale, a VPN service, to integrate compromised systems into their virtual networks, making it significantly harder for investigators to trace the source of their activities.
Earth Baku interacts with the MEGA cloud storage service using the MEGAcmd tool, a command-line interface for exfiltrating stolen data. This tool is effective for uploading large volumes of data, suggesting that the group is focused on stealing and storing vast amounts of sensitive information.
In a particularly sophisticated move, Earth Baku has been observed corrupting their StealthVector loader by deliberately wiping out the first 1000 bytes of the file. This tactic is designed to evade detection by security products and make it significantly harder for analysts to reconstruct and analyse the malware.
“During our investigation, we found that Earth Baku intentionally corrupted their StealthVector loader by wiping out the first 1000 bytes of the file. By doing this, the threat actor can evade security products (as seen with the number of detections in VirusTotal at the time of writing compared to the original variant, which was detected by several security vendors),” explained researchers.
To mitigate Earth Baku operations, researchers have urged organisations to employ the principle of least privilege, that is, restrict data access to only a few people, ensure regular patches, and back up data regularly.
In the News: GPT-4o is ‘unlikely’ to cause catastrophe; gets ‘medium’ risk score