A previously unidentified Chinese spy group has managed to breach at least 70 organizations in 23 countries, including 48 in government settings, despite using fairly standard tactics, techniques and procedures (TTPs).
“Earth Krahang” does not appear to be a high-end military APT. In a new relationshipTrend Micro researchers have suggested that it could be a wing of iSoon, a private hacker-for-hire operation contracted by the Chinese Communist Party (CCP). And in adapting to such a cybercrime operation, instead of employing ultra-sophisticated malware and stealth tactics, it uses an arsenal of largely open source and well-documented tools, as well as day-old vulnerabilities and standard social engineering, to defeat its targets .
Despite this, his list of victims rivals that of the likes of Volt Typhoon, BlackTechAND Panda Mustang.
Having targeted no fewer than 116 organizations in 35 countries, the group has at least 70 confirmed compromises, including four dozen associated with various world governments. In one case, it managed to breach a wide range of organizations linked to 11 ministries. The victims also affected the sectors of education and telecommunications, finance, IT, sports and more. The highest concentration of victims comes from Asia, but cases also concern the Americas (Mexico, Brazil, Paraguay), Europe (Great Britain, Hungary) and Africa (Egypt, South Africa).
“The use of open source tools to compromise government entities is notable, but not entirely surprising,” says Callie Guenther, senior manager of cyber threat research at Critical Start. “Governments often have large and complex IT infrastructures, which can lead to inconsistencies in security practices and make it difficult to defend against all types of attacks, including those using basic open source tools.”
Earth Krahang’s intrusion tactics
Some successful Chinese APTs stand out for unique zero-days OR complex tactics that they develop better than all the others.
Earth Krahang is more of an all-rounder.
Its first move is to scan the Web for servers of public interest, such as those linked to government organizations. To check for vulnerabilities it can exploit, it uses one of several open source and standardized tools, including sqlmap, nuclei, xray, vscan, pocsuite, and wordpressscan. Two bugs in particular that Earth Krahang loves to prey on are CVE-2023-32315 – a command execution bug in the Openfire real-time collaboration server rated 7.5 by CVSS – and CVE-2022-21587 – a critical command execution issue rated 9.8 with Web Applications Desktop Integrator in Oracle’s E-Business Suite.
After establishing a foothold on a public server, the group uses more open source software to search for sensitive files, passwords (particularly for email), and other useful resources, such as solitary subdomains that could point to additional unmanaged servers . It also uses a variety of brute-force attacks, such as using a list of common passwords to breach Microsoft Exchange servers via Outlook on the web.
“While it may seem like open source should be easy to detect,” says Jon Clay, vice president of threat intelligence at Trend Micro, “the reality is that there are a lot of TTPs here that need to be found and detected. Additionally, This adversary’s use of defense evasion tactics can be used to ensure that victims are unable to defend themselves.”
Earth Krahang exploitation and stealth tactics
At the end of all this (and much more), the attacker can perform two main actions: open backdoors on compromised servers and take control of email accounts.
The latter is particularly useful. “Using legitimate systems and email accounts to support their attack is particularly interesting in this case, because this adversary uses legitimate accounts to trick the victim into thinking they are safe,” Clay explains. With a list of high-value contacts and the legitimacy gained using a bona fide account, the group sends emails with suitable subject lines, such as “Malaysian Ministry of Defense Circular”, malicious URLs or attachments, and file names that do not they do. the same – for example “On the visit of the Paraguayan Foreign Minister to Turkmenistan.exe.”
Whether via email or a vulnerability in a web server, Earth Krahang’s various targets end up downloading one or more backdoors.
In its first attacks, around 2022, the group used “RESHELL,” a fairly simple custom .NET tool to gather information, delete files, and execute system commands, with AES-encrypted command and control (C2) communication.
In 2023, the group moved to “XDealer”, which has additional features including keylogging, screenshots, and clipboard stealing. In addition to being compatible with both Windows and Linux, XDealer is also notable because some of its loaders contain valid code signing certificates. Trend Micro speculates that these certificates, one belonging to a legitimate human resources company and the other to a game development company, were likely stolen to provide an additional layer of cover when downloading the malware onto new systems.
Earth Krahang also made use of ancient threats like PlugX AND ShadowPadand often uses Cobalt Strike in combination with another open source tool (RedGuard) that prevents cybersecurity analysts from crashing its C2 infrastructure.
Because the threat actor is relatively straightforward, Guenther suggests that “standard best practices are recommended to protect against these TTPs. Organizations should enhance email security to defend against spear phishing, regularly update and patch their systems to protect themselves from known vulnerabilities and use network segmentation to limit the spread of an attacker within their networks. Monitoring anomalous network traffic and unusual access patterns can also help detect such campaigns early.”