November 26, 2024 at 03:32AM
Trend Micro reports a new spear-phishing campaign by Earth Kasha targeting Japan, using tactics involving the backdoor ANEL and the malware NOOPDOOR. This operation shifts focus from enterprises to individuals in sensitive sectors. The campaign employs sophisticated infection vectors and evasion techniques, necessitating ongoing vigilance and threat intelligence monitoring.
### Meeting Takeaways
**Campaign Overview:**
– A new spear-phishing campaign attributed to **Earth Kasha** has been tracking individuals and organizations in Japan since **June 2024**.
– This campaign marks the return of the **ANEL backdoor**, previously utilized by **APT10** until **2018**, along with confirmed use of **NOOPDOOR**, indicating a strategic shift in Earth Kasha’s tactics, techniques, and procedures (TTPs).
**Target Profiles:**
– Keys targets are individuals related to political organizations, research institutions, think tanks, and entities involved in **international relations**.
– The focus has shifted from corporate enterprise targets to individual targets reflecting national security concerns.
**Attack Mechanism:**
– Spear-phishing emails were sent from compromised or free email accounts, leading to malicious **ZIP** files hosted on **OneDrive**.
– Email subjects were tailored to attract attention related to Japan’s national security and economic relations with the US and China.
**Malware Execution Cases:**
1. **Case 1: Macro-Enabled Document (ROAMINGMOUSE)**
– Opens with macros enabled to execute embedded components related to ANEL.
2. **Case 2: Shortcut + SFX + Macro-Enabled Template Document**
– Uses a shortcut to trigger a self-extracting file disguised as a Word document.
3. **Case 3: Shortcut + CAB + Macro-Enabled Template Document**
– Utilizes PowerShell to drop an embedded CAB file that ultimately executes a malicious template.
**Evasion Techniques:**
– **ROAMINGMOUSE** employs evasive actions during execution to avoid detection, such as responding to mouse movements to trigger actions and utilizing custom encoding methods for embedded payloads.
– **WMI (Windows Management Instrumentation)** is used to execute processes in a manner that avoids immediate detection.
**ANEL Backdoor Insights:**
– ANEL has evolved, with new versions observed in the recent campaign, maintaining functionalities related to command and control communication, execution of commands, and data collection from infected environments.
**Post-Infection Activities:**
– While ANEL collects vital information (screenshots, system details), NOOPDOOR was deployed as a secondary payload for critical high-value targets.
**Attribution Justifications:**
– Continued usage of similar tactics and tools akin to past Earth Kasha campaigns, along with code linkages between NOOPDOOR and ANELLDR, support the attribution to Earth Kasha.
**Preventive Measures:**
– Stakeholders are urged to maintain vigilance against suspicious attachments, strengthen email filtering, and ensure awareness around current threats through active threat intelligence gathering.
**Next Steps:**
– Continuous monitoring and updating of cybersecurity measures are necessary as the campaign is ongoing.
– Customers using **Trend Micro Vision One** should utilize the threat intelligence tools available to protect and respond to these evolving threats effectively.
### Conclusion:
Earth Kasha’s tactics remain adaptive, with ongoing vigilance crucial for security, particularly aimed at individual targets with varying security measures.