China

A sophisticated hacking campaign attributed to a Chinese Advanced Persistent Threat (APT) group known as 'Earth Krahang' has breached 70 organizations and targeted at least 116 across 45 countries.

According to Trend Micro researchers monitoring the activity, the campaign has been underway since early 2022 and focuses primarily on government organizations.

Specifically, the hackers have compromised 48 government organizations, 10 of which are Foreign Affairs ministries, and targeted another 49 government agencies.

Victims map
Victims (red) and targets (yellow) map (Trend Micro)

The attackers exploit vulnerable internet-facing servers and use spear-phishing emails to deploy custom backdoors for cyberespionage.

Earth Krahang abuses its presence on breached government infrastructure to attack other governments, builds VPN servers on compromised systems, and performs brute-forcing to crack passwords for valuable email accounts.

Attack overview

The threat actors employ open-source tools to scan public-facing servers for specific vulnerabilities, such as CVE-2023-32315 (Openfire) and CVE-2022-21587 (Oracle Web Apps).

By exploiting these flaws, they deploy webshells to gain unauthorized access and establish persistence within victim networks.

Alternatively, they use spear-phishing as an initial access vector, with the messages themed around geopolitical topics to lure the recipients into opening the attachments or clicking on the links.

Once inside the network, Earth Krahang uses the compromised infrastructure to host malicious payloads, proxy attack traffic, and use hacked government email accounts to target its colleagues or other governments with spear-phishing emails.

"We noticed that Earth Krahang retrieves hundreds of email addresses from their targets during the reconnaissance phase," reads Trend Micro's report.

"In one case, the actor used a compromised mailbox from a government entity to send a malicious attachment to 796 email addresses belonging to the same entity."

Script used for sending out emails from the compromised account
Script used for sending out emails from the compromised account (redacted) (Trend Micro)

These emails contain malicious attachments that drop backdoors to the victims' computers, spreading the infection and achieving redundancy in the case of detection and cleanup.

Trend Micro says the attackers use compromised Outlook accounts to brute force Exchange credentials, while Python scripts that specialize in exfiltrating emails from Zimbra servers were also spotted.

Python script for collecting email data
Python script for collecting email data (Trend Micro)

The threat group also builds VPN servers on compromised public-facing servers using SoftEtherVPN to establish access to the private networks of their victims and further their ability to move laterally within those networks.

Having established their presence on the network, Eath Krahang deploys malware and tools such as Cobalt Strike, RESHELL, and XDealer, which provide command execution and data collection capabilities.

XDealer is the more sophisticated and complex of the two backdoors as it supports Linux and Windows and can take screenshots, log keystrokes, and intercept clipboard data.

Overview of the attack chain
Overview of the attack chain (Trend Micro)

Attribution

Trend Micro says it initially found ties between Earth Krahang and the China-nexus actor Earth Lusca, based on command and control (C2) overlaps, but determined that this is a separate cluster.

It is possible that both threat groups operate under the Chinese company I-Soon, working as a dedicated task force for cyberespionage on government entities.

Also, RESHELL has been previously associated with the 'Gallium' group and XDealer with the 'Luoyu' hackers. However, Trend Micro's insight shows these tools are likely shared between the threat actors, each using a distinct encryption key.

The complete list of the indicators of compromise (IoCs) for this Earth Krahang campaign is published separately here.

Related Articles:

UNC3886 hackers use Linux rootkits to hide on VMware ESXi VMs

Europol takes down 593 Cobalt Strike servers used by cybercriminals

Cisco warns of NX-OS zero-day exploited to deploy custom malware

Hackers use F5 BIG-IP malware to stealthily steal data for years

Plugins on WordPress.org backdoored in supply chain attack