Trend Micro researchers reported that China-linked APT group Earth Baxia has targeted a government organization in Taiwan and potentially other countries in the Asia-Pacific (APAC) region.
The threat actor used spear-phishing emails and exploited the recently patched GeoServer vulnerability CVE-2024-36401.
GeoServer is an open-source server that allows users to share and edit geospatial data.
The vulnerability CVE-2024-36401 (CVSS score of 9.8) is a Remote Code Execution (RCE) issue caused by unsafe evaluation of property names as XPath expressions.
GeoServer versions before 2.23.6, 2.24.4, and 2.25.2 to this issue. Threat actors exploited the flaw to download or copy malicious components.
In July, the researchers detected suspicious activity targeting a government organization in Taiwan and other entities in APAC countries. Attackers deployed customized Cobalt Strike components on compromised systems and installed a new backdoor called EAGLEDOOR, which supports multiple protocols.
Earth Baxia primarily targeted government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand.
Upon investigation, the experts discovered that multiple servers were hosted on the Alibaba cloud service or located in Hong Kong. Some samples employed in the campaign were uploaded to VirusTotal from China.
“After checking one of the Cobalt Strike watermarks (666666) used by the threat actors on Shodan, we also found that only a few machines were linked to this watermark, most of which were in China (Table 1). Therefore, we suspect that the APT group behind these campaigns originates from China.” reads the report.
The APT group relies on GrimResource and AppDomainManager injection to deploy additional payloads, to lower the victim’s guard and avoid detection.
The phishing emails in this campaign have carefully tailored subject lines, with a ZIP file attachment containing a decoy MSC file named RIPCOY. Upon opening this file, an obfuscated VBScript downloads multiple files from a public cloud service like AWS, including a decoy PDF, .NET applications, and a configuration file. The .NET applications use AppDomainManager injection, which allows arbitrary code execution within a target application by injecting a custom application domain. This enables the execution of .NET applications to load managed DLLs, either locally or remotely, without invoking Windows API calls.
The EAGLEDOOR backdoor can communicate with C2 via DNS, HTTP, TCP, and Telegram. While TCP, HTTP, and DNS are used to send the victim machine’s status, the main backdoor functionality is handled through the Telegram Bot API. The malicious code supports methods like getFile
, getUpdates
, sendDocument
, and sendMessage
to gather information, transfer files, and execute payloads. However, in the collected samples, only TCP and HTTP protocols were observed on the victim’s side. Earth Baxia exfiltrates data in archives that are transferred using curl.exe
.
“Earth Baxia, likely based in China, conducted a sophisticated campaign targeting government and energy sectors in multiple APAC countries.” concludes the report. “They used advanced techniques like GeoServer exploitation, spear-phishing, and customized malware (Cobalt Strike and EAGLEDOOR) to infiltrate and exfiltrate data. The use of public cloud services for hosting malicious files and the multi-protocol support of EAGLEDOOR highlight the complexity and adaptability of their operations.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Earth Baxia)