Earth Kasha, a threat actor linked to APT10 Umbrella, has recently evolved their tactics, targeting public institutions and academics with updated spear-phishing emails and advanced malware like LODEINFO.
In addition to concentrating on advanced technology and government organizations, it has expanded its operations to Taiwan and India, with Japan as its primary target market.
The group leverages vulnerabilities in enterprise products like Array AG, Proself, and FortiOS/FortiProxy for initial access, followed by backdoor deployments (Cobalt Strike, LODEINFO, NOOPDOOR) to maintain persistence.
The initial information that Earth Kasha gathered about the Active Directory environment was gathered with the help of legitimate tools.
Subsequently, they employed custom malware, MirrorStealer, to exfiltrate sensitive credentials from various applications, aiming to gain deeper access and compromise additional systems.
It abused vssadmin to steal credential hashes from an Active Directory server, compromised domain admin accounts, deployed backdoors, and exfiltrated sensitive data, including network diagrams and user lists, using SMB and RDP.
During the most recent campaign, Earth Kasha utilized a wide variety of backdoors, some of which were Cobalt Strike, LODEINFO, and the novel NOOPDOOR.
A shellcode loader written in Go called GOSICLOADER was utilized in order to deploy Cobalt Strike in memory, thereby avoiding the use of conventional file-based detection mechanisms.
It has been observed using a modified version of Cobalt Strike (CSAgent) and the LODEINFO backdoor in recent campaigns by leveraging DLL side-loading and digital signature abuse to execute LODEINFO, demonstrating its adaptability and persistence.
LODEINFOLDR Type 2 is a variant of LODEINFO previously seen in the 2022 LiberalFace campaign, which is capable of in-memory execution of DLLs and shellcode and has evolved to include new backdoor commands, suggesting persistent use by the same threat actor.
The NOOPLDR malware variant, delivered via XML or DLL, leverages MSBuild to execute malicious C# code and encrypts and stores a previously undocumented backdoor, NOOPDOOR, using device-specific keys.
The malicious software uses AES-256-CBC to decrypt the payload, and then it uses SHA256 and SHA384 hashes to validate the payload’s authenticity.
NOOPDOOR, a sophisticated backdoor, utilizes active and passive communication modes, leveraging TCP/443 and TCP/47000, respectively, by employing a DGA for daily C&C domain generation and RSA/symmetric encryption for secure communication.
The backdoor integrates anti-analysis strategies and provides support for a wide range of modules that can be used for a variety of malicious activities.
MirrorStealer, a credential stealer often paired with NOOPDOOR, targets browsers, email clients, Group Policy Preferences, and SQL Server Management Studio by exfiltrating credentials to a temporary file, which the attacker manually accesses and deletes.
Recent analysis by Trend Micro reveals Earth Kasha’s new campaign, demonstrating TTP evolution from previous LODEINFO campaigns and potential overlap with Earth Tengshe’s A41APT campaign.