2024-09-18 Earth Baxia APT - RIPCOY + SWORDLDR Samples (Spear-Phishing and GeoServer Exploit used to Target APAC)

 

Trend Micro - Infection Chain


2024-09-08 TrendMicro Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC

Earth Baxia, a threat actor suspected to originate from China, has been targeting government organizations in Taiwan and other Asia-Pacific (APAC) countries, using spear-phishing emails and exploiting a vulnerability in GeoServer (CVE-2024-36401), a remote code execution (RCE) exploit. This exploit allowed the attackers to download or copy malicious components, which were then used to deploy customized Cobalt Strike payloads. Their modified Cobalt Strike version included altered signatures for evasion, and they introduced a new backdoor named EAGLEDOOR, which supports multiple communication protocols for payload delivery and information gathering.

The infection chain typically began with spear-phishing emails that delivered malicious attachments or links. These emails often contained decoy documents to lure victims. One of the key methods used by Earth Baxia is the GrimResource technique, which involves downloading files from public cloud services such as AWS and Aliyun. The payloads were injected into legitimate processes using AppDomainManager injection to avoid detection.

Earth Baxia's campaigns primarily targeted government agencies, telecommunication businesses, and the energy sector in countries such as Taiwan, South Korea, the Philippines, and Vietnam. Analysis of Cobalt Strike watermarks and server locations suggests a strong connection to China. During the attack, the group employed sophisticated malware-loading techniques, including DLL side-loading and process injection.

Key malware involved in these campaigns included Cobalt Strike and EAGLEDOOR. The latter used Telegram for command-and-control (C&C) communications and supported various protocols like DNS, HTTP, and TCP for data exfiltration. Earth Baxia utilized public cloud services to host malicious files, making it harder to track their activities. They also used tools like curl for exfiltrating data from victim systems.

Download
Image

 
Download. Email me if you need the password scheme.


  • File Information
  • ├── DULLDOWN
  • │   ├── 1c13e6b1f57de9aa10441f63f076b7b6bd6e73d180e70e6148b3e551260e31ee TrojanSpy.SH.DULL.ZTLH
  • │   └── c78a02fa928ed8f83bda56d4b269152074f512c2cb73d59b2029bfc50ac2b8bc oncesvc.exe.config xml 
  • ├── RIPCOY
  • │   ├── 04b336c3bcfe027436f36dfc73a173c37c66288c7160651b11561b39ce2cd25e  202407111985[1].jpeg oncesvc.dll 
  • │   ├── 1e6c661d6981c0fa56c011c29536e57d21545fd11205eddf9218269ddf53d448  Hướng dẫn và yêu cầu kiểm tra, giám sát hoạt động của từng đơn vị năm 2024.msc 
  • │   ├── 4edc77c3586ccc255460f047bd337b2d09e2339e3b0b0c92d68cddedf2ac1e54 水域污染詳細訊息.msc 
  • │   ├── 6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce 0c664ce.msc 
  • │   └── ca05513c365c60a8fdabd9e21938796822ecda03909b3ee5f12eb82fefa34d84  Document new.pdf.msc 
  • └── SWORDLDR (not the same as in their IOC https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt but also recent SWORDLDR)
  •     ├── 00e6541316006156887d3313d72a81af30427742b27adec4a81c6ee7441b207c  Error Program Demo Edu.dll 
  •     ├── 084da6b560f62eeebc339ef3e1125f6da5a57bbd2c4ac192cec51b426dd6982e Error Program Demo Edu.dll 
  •     ├── a2ad95555bf3ce55ec70b41fa9ffa6bd2bafdb97d687a477efc0ab23fa0ed32e Error Program Demo Edu.dll 
  •     └── db425ce989ff1e2046f5ebddf2472dca8c48ab987e632e66caabf86502bf3ef0 SensorMonitor.exe 
Malware Repo Links
    Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.

Article Link: contagio: 2024-09-18 Earth Baxia APT - RIPCOY + SWORDLDR Samples (Spear-Phishing and GeoServer Exploit used to Target APAC)