Trend Micro - Infection Chain

2024-09-08 TrendMicro Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC

Earth Baxia, a threat actor suspected to originate from China, has been targeting government organizations in Taiwan and other Asia-Pacific (APAC) countries, using spear-phishing emails and exploiting a vulnerability in GeoServer (CVE-2024-36401), a remote code execution (RCE) exploit. This exploit allowed the attackers to download or copy malicious components, which were then used to deploy customized Cobalt Strike payloads. Their modified Cobalt Strike version included altered signatures for evasion, and they introduced a new backdoor named EAGLEDOOR, which supports multiple communication protocols for payload delivery and information gathering.

The infection chain typically began with spear-phishing emails that delivered malicious attachments or links. These emails often contained decoy documents to lure victims. One of the key methods used by Earth Baxia is the GrimResource technique, which involves downloading files from public cloud services such as AWS and Aliyun. The payloads were injected into legitimate processes using AppDomainManager injection to avoid detection.

Earth Baxia's campaigns primarily targeted government agencies, telecommunication businesses, and the energy sector in countries such as Taiwan, South Korea, the Philippines, and Vietnam. Analysis of Cobalt Strike watermarks and server locations suggests a strong connection to China. During the attack, the group employed sophisticated malware-loading techniques, including DLL side-loading and process injection.

Key malware involved in these campaigns included Cobalt Strike and EAGLEDOOR. The latter used Telegram for command-and-control (C&C) communications and supported various protocols like DNS, HTTP, and TCP for data exfiltration. Earth Baxia utilized public cloud services to host malicious files, making it harder to track their activities. They also used tools like curl for exfiltrating data from victim systems.