Earth Kasha Malware Attacks Target Japan, Taiwan, and India
/ 3 min read
Quick take - Earth Kasha, a cyber threat actor monitored by Trend Micro, has been involved in a series of advanced malware attacks since 2019, primarily targeting Japan and recently expanding to high-profile organizations in Taiwan and India, utilizing evolving tactics and exploiting vulnerabilities in public-facing applications to steal sensitive information.
Fast Facts
- Earth Kasha, a cyber threat actor tracked by Trend Micro, has been targeting Japan since 2019 and has recently expanded its attacks to high-profile organizations in Taiwan and India.
- The malware LODEINFO has evolved significantly, with continuous updates introducing new commands and capabilities, including the ability to run DLLs or shellcode directly in memory.
- Recent campaigns exploit vulnerabilities in public-facing applications, notably SSL-VPN and file storage services, with specific vulnerabilities identified in Array AG, Proself, and FortiOS/FortiProxy.
- Earth Kasha employs spear-phishing techniques to gain initial access, primarily targeting public institutions and academic organizations, and has successfully compromised domain admin accounts.
- The group utilizes various backdoors, including LODEINFO and NOOPDOOR, with advanced communication methods and features aimed at stealing sensitive information.
Earth Kasha’s Evolving Cyber Threat: A Detailed Examination of Recent Malware Attacks
Earth Kasha, a cyber threat actor tracked by Trend Micro, has been implicated in a series of sophisticated malware attacks primarily targeting Japan since 2019. The malware, known as LODEINFO, has evolved significantly over the years. Its latest campaign, which commenced in early 2023, has extended its reach to include high-profile organizations in Taiwan and India, while maintaining Japan as the focal point.
Recent Tactics and Exploits
The recent activities of Earth Kasha have transitioned from earlier tactics, adapting their strategies to exploit vulnerabilities in public-facing applications such as SSL-VPN and file storage services. Notable vulnerabilities exploited during this campaign include those identified in Array AG (CVE-2023-28461), Proself (CVE-2023-45727), and FortiOS/FortiProxy (CVE-2023-27997). The group has employed spear-phishing techniques to gain initial access to networks, primarily targeting public institutions and academic organizations.
Once inside the networks, Earth Kasha has demonstrated advanced capabilities by deploying various backdoors, including LODEINFO, Cobalt Strike, and a newly discovered backdoor named NOOPDOOR. The primary objective of these attacks appears to be the theft of sensitive information. Earth Kasha employs legitimate Microsoft tools such as csvde.exe, nltest.exe, and quser.exe to gather Active Directory configurations and domain user information.
Malware Evolution and Features
The adversary has successfully compromised domain admin accounts, allowing them to deploy backdoors across multiple systems using SMB and other administrative tools. The malware LODEINFO has undergone continuous updates, with versions noted including v0.6.9 to v0.7.3. These updates incorporate new commands such as “pkill,” “ps,” “keylog,” “autorun,” and “runas.” Additionally, LODEINFO’s architecture now supports running DLLs or shellcode directly in memory.
NOOPDOOR introduces new features, such as position-independent code and daily-changing command-and-control (C&C) domains. It employs both active and passive communication modes. Its active mode communicates over TCP/443, while passive mode listens on TCP/47000. Encrypted communications utilize RSA and symmetric ciphers.
Credential Theft and Threat Intelligence
Earth Kasha’s tactics have included the use of a credential-stealing malware called MirrorStealer, which targets a range of applications to extract stored credentials. The analysis of their spear-phishing campaign from 2023 to early 2024 indicates a medium confidence attribution to Earth Kasha. The ongoing LODEINFO campaigns show parallels in malware usage and victimology. There are indications of potential sharing of 0-day vulnerabilities among actors affiliated with China.
Trend Micro Vision One continues to provide crucial threat intelligence and insights, helping organizations prepare for and respond to these evolving cyber threats.
Original Source: Read the Full Article Here
