A sophisticated hacking campaign targeting government agencies and advanced technology sectors in Japan, Taiwan, and India has been linked to the elusive Earth Kasha group, suspected to be associated with the broader ‘APT10 Umbrella.’ The specific victimology consists of the public sector, individuals associated with international affairs, politicians, and researchers in the academic sector.
Leveraging updated tactics and custom malware, including Lodeinfo and newly discovered Noopdoor backdoors, the attackers have exploited flaws in enterprise systems to steal sensitive data and establish persistent access across the victim network.
Since early 2023, Earth Kasha has intensified its operations, targeting high-profile entities in advanced technology sectors and government agencies. Initially relying on spear-phishing emails, the group now exploits flaws in enterprise products, such as Array AG (CVE-2023-28461), Proself (CVE-2023-45727), and Fortinet’s FortiOS/FortiProxy (CVE-2023-27997).
The group’s operations exhibit a systematic approach. It gains initial access by exploiting enterprise software flaws to infiltrate networks.
After gaining access, the group leverages legitimate Microsoft tools like ‘csvde.exe’ and ‘nltest.exe’ to map Active Directory environments and gather sensitive data. Credential theft is executed via custom tools such as ‘MirrorStealer,’ which targets browsers, email clients, and SQL management tools.
Finally, backdoors are deployed across networks using tools like schtasks.exe and sc.exe. New loaders like Noopldr encrypt payloads using device-specific identifiers to evade detection.
Earth Kasha’s evolving toolkit demonstrates their adaptability:
- Lodeinfo: This longstanding backdoor has undergone significant upgrades, adding commands like ‘keylog’ and ‘runas’ for enhanced capabilities. The malware leverages DLL side-loading for stealth and continues to be a core component of their operations.
- Noopdoor: A newly identified backdoor, Noopdoor operates with two loader variants — XML-based ‘Noopdoor Type 1’ and DLL-based ‘Noopdoor Type 2’. Both use complex encryption tied to machine-specific data for stealthy persistence.
- Cobalt Strike variants: Earth Kasha employs a modified version of this penetration-testing tool, which is often associated with advanced persistent threats.
- MirrorStealer is a multipurpose credential stealer that can exfiltrate stored credentials in browsers, email clients, Group Policy Preferences, recently accessed servers, stored credentials, and SQL Server Management Studio.
Noopdoor functions in two communication modes: Active and Passive. Active mode utilizes RSA-2048 along with symmetric cyphers such as AES, DES, and RC4, while Passive mode is secured using AES-128-CBC.
Noopdoor generates new command-and-control (C&C) server domains daily, leveraging a custom DGA to evade detection and disrupt countermeasures.
Researchers have found that Earth Kasha’s campaign shares striking similarities with those conducted by Earth Tengshe, another group associated with APT10. Shared tactics include abusing SSL VPNs for initial access and leveraging scheduled tasks for persistence. However, their toolsets differ, with Noopdoor and MirrorStealer standing out as exclusive and Earth Kasha.
In the News: Spotify playlists and podcasts exploited for piracy and spam