November 19, 2024 at 03:59AM
The blog analyzes Earth Kasha’s LODEINFO malware campaign targeting Japan, Taiwan, and India from 2023-2024. It highlights updated tactics, techniques, and procedures (TTPs), including exploiting vulnerabilities in public-facing applications, credential theft, and the use of various backdoors like LODEINFO and NOOPDOOR. The report draws connections with APT10 umbrella activities.
### Meeting Takeaways on Recent Earth Kasha Campaign
—
#### **Overview of Earth Kasha and LODEINFO**
– **Actor Identification**: Earth Kasha has been active since 2019, primarily targeting Japan. There are speculations linking them to APT10, but currently viewed as distinct, referred to as part of the “APT10 Umbrella.”
– **Recent Campaigns**: Significant campaign updates observed from early 2023 to 2024, with expanded targeting including Japan, Taiwan, and India, focusing on advanced technology and government sectors.
—
#### **Tactics, Techniques, and Procedures (TTPs)**
– **Initial Access**:
– Transition from spear-phishing to exploiting vulnerabilities in public-facing applications (e.g., SSL-VPN, file storage).
– Exploited vulnerabilities: Array AG (CVE-2023-28461), Proself (CVE-2023-45727), and FortiOS/FortiProxy (CVE-2023-27997).
– **Post-Exploitation**:
– Focused on information theft using legitimate Microsoft tools to gain domain user information.
– Used **MirrorStealer** for credential dumping across multiple applications.
– Abused **vssadmin** to access registry hives and credentials.
– **Lateral Movement**:
– Gained domain admin access to deploy backdoors (Cobalt Strike, LODEINFO, NOOPDOOR) across networks using tools like SMB and scheduled tasks.
—
#### **Malware Overview**
– **LODEINFO**:
– Primary backdoor used since 2019, now part of a diverse toolkit.
– Recent updates with multiple versions indicating adaptability.
– New commands and methods of execution introduced in recent versions (v0.6.9 to v0.7.3).
– **NOOPDOOR**:
– Newly identified backdoor with complex features for high-profile targets, supporting both active and passive communication with C&C.
– Uses a custom DGA for domain generation, encrypted communication, and various anti-analysis measures.
– **MirrorStealer**:
– Credential stealing malware targeting browsers and email clients, aiding Earth Kasha in accessing sensitive data.
—
#### **Attribution and Trends**
– The campaign analyzed suggests an ongoing evolution in tactics and potential collaboration between Earth Kasha and other actors (e.g., Earth Tengshe, Volt Typhoon).
– Indicators suggest possible sharing or access to 0-day vulnerabilities within China-nexus adversaries.
—
#### **Conclusion**
– Earth Kasha’s recent campaign reflects a significant shift in tactics, utilizing advanced techniques and malware to enhance access and persistence.
– Mutual influences and resource sharing among actors create a complex threat landscape necessitating proactive intelligence efforts.
—
#### **Next Steps and Recommendations**
– Stay updated on emerging threats through Trend Micro Vision One.
– Utilize threat intelligence reports to identify relevant indicators of compromise in organizational environments.
– Implement security measures against the techniques employed in the Earth Kasha campaigns, focusing on rigorous monitoring of public-facing applications.
—
These takeaways capture the essential points from the meeting on Earth Kasha’s evolving strategies and the implications for cybersecurity efforts.