Earth Kasha’s New Tactics: A Game-Changer for Targeting Organizations

Earth Kasha, a threat actor linked to APT10 Umbrella, has recently evolved their tactics, targeting public institutions and academics with updated spear-phishing emails and advanced malware like LODEINFO.

In addition to concentrating on advanced technology and government organizations, it has expanded its operations to Taiwan and India, with Japan as its primary target market. 

The group leverages vulnerabilities in enterprise products like Array AG, Proself, and FortiOS/FortiProxy for initial access, followed by backdoor deployments (Cobalt Strike, LODEINFO, NOOPDOOR) to maintain persistence. 

An overview of relationships of Earth Kasha

The initial information that Earth Kasha gathered about the Active Directory environment was gathered with the help of legitimate tools. 

Subsequently, they employed custom malware, MirrorStealer, to exfiltrate sensitive credentials from various applications, aiming to gain deeper access and compromise additional systems.

It abused vssadmin to steal credential hashes from an Active Directory server, compromised domain admin accounts, deployed backdoors, and exfiltrated sensitive data, including network diagrams and user lists, using SMB and RDP. 

 Execution flow of GOSICLOADER

During the most recent campaign, Earth Kasha utilized a wide variety of backdoors, some of which were Cobalt Strike, LODEINFO, and the novel NOOPDOOR.

A shellcode loader written in Go called GOSICLOADER was utilized in order to deploy Cobalt Strike in memory, thereby avoiding the use of conventional file-based detection mechanisms.

It has been observed using a modified version of Cobalt Strike (CSAgent) and the LODEINFO backdoor in recent campaigns by leveraging DLL side-loading and digital signature abuse to execute LODEINFO, demonstrating its adaptability and persistence.

Embedded encrypted payload and RC4 in digital signature

LODEINFOLDR Type 2 is a variant of LODEINFO previously seen in the 2022 LiberalFace campaign, which is capable of in-memory execution of DLLs and shellcode and has evolved to include new backdoor commands, suggesting persistent use by the same threat actor.

The NOOPLDR malware variant, delivered via XML or DLL, leverages MSBuild to execute malicious C# code and encrypts and stores a previously undocumented backdoor, NOOPDOOR, using device-specific keys. 

The malicious software uses AES-256-CBC to decrypt the payload, and then it uses SHA256 and SHA384 hashes to validate the payload’s authenticity.

Detailed logic of DGA

NOOPDOOR, a sophisticated backdoor, utilizes active and passive communication modes, leveraging TCP/443 and TCP/47000, respectively, by employing a DGA for daily C&C domain generation and RSA/symmetric encryption for secure communication. 

The backdoor integrates anti-analysis strategies and provides support for a wide range of modules that can be used for a variety of malicious activities.

MirrorStealer, a credential stealer often paired with NOOPDOOR, targets browsers, email clients, Group Policy Preferences, and SQL Server Management Studio by exfiltrating credentials to a temporary file, which the attacker manually accesses and deletes.

Recent analysis by Trend Micro reveals Earth Kasha’s new campaign, demonstrating TTP evolution from previous LODEINFO campaigns and potential overlap with Earth Tengshe’s A41APT campaign. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here