A new Advanced Persistent Threat campaign, dubbed Earth Krahang, has emerged with a focus on infiltrating government entities across the globe.
This campaign, active since early 2022, has been linked to a China-nexus threat actor, previously identified as Earth Lusca.
Despite similarities, Earth Krahang operates with distinct infrastructure and employs unique backdoors, suggesting it's a separate entity.
This report delves into Earth Krahang's tactics, techniques, and procedures, shedding light on its operations and their implications for global cybersecurity.
Earth Krahang's modus operandi includes exploiting vulnerabilities in public-facing servers and utilizing spear-phishing emails to deliver novel backdoors.
The campaign has shown a penchant for commandeering government infrastructure to launch further attacks, leveraging this access to host malicious payloads and facilitate cyber espionage.
Notably, Earth Krahang has exploited vulnerabilities such as CVE-2023-32315 and CVE-2022-21587 to gain unauthorized access and deploy malware.
Spear-phishing remains a critical vector for Earth Krahang.
Earth Krahang conducts brute force attacks on Exchange servers via Outlook on the web, vulnerability scanning to find web server vulnerabilities, and injecting backdoors.
Upon gaining initial access, Earth Krahang employs a variety of tools and techniques to maintain presence and exploit compromised networks.
The use of SoftEther VPN on public-facing servers is a notable tactic, enabling the threat actor to infiltrate victim networks deeply.
Earth Krahang's toolkit includes several malware families, with Cobalt Strike, RESHELL, and XDealer being prominent.
The evolution of XDealer, evidenced by various versions identified, indicates active development and customization by the threat actor.
The campaign has targeted approximately 70 victims across 23 countries, primarily focusing on government organizations.
The wide geographic spread of targets underscores Earth Krahang's global ambitions.
While direct attribution is challenging, connections to the China-nexus threat actor Earth Lusca and potential links to the Chinese company I-Soon suggest a coordinated effort possibly backed by state-sponsored actors.
Earth Krahang represents a sophisticated and persistent cyber threat that clearly focuses on government entities and the exploitation of government infrastructure for cyber espionage.
The campaign's unique malware families and tactics highlights the need for robust cybersecurity defenses and awareness.
Earth Krahang's evolving tactics and tools necessitate continuous vigilance and adaptation in cybersecurity strategies to protect sensitive information and infrastructure from these advanced threats.
You can learn malware analysis to break down sophisticated malware by enrolling in a Certified Malware Analyst Course online.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 18 Mar 2024 16:55:09 +0000