Earth Baku Unleashes Custom Tools to Maintain Persistence & Steal Sensitive Data

Earth Baku, an APT actor linked to APT41, has expanded operations from the Indo-Pacific to Europe, the Middle East, and Africa since late 2022, targeting countries including Italy, Germany, the UAE, and Qatar. 

The group leverages compromised IIS servers to deploy sophisticated malware like StealthVector, StealthReacher, and the modular SneakCross backdoor. 

These tools, employing techniques such as AES encryption and code obfuscation, facilitate persistence, data exfiltration, and command-and-control using Google services. 

Threat actor Earth Baku, initially focused on the Indo-Pacific, has expanded operations to Europe, the Middle East, and Africa, targeting Italy, Germany, the UAE, and Qatar, with potential threats to Georgia and Romania. 

Critical infrastructure sectors, including government, media, telecom, technology, healthcare, and education, are prioritized across these regions, indicating a broad-spectrum espionage campaign. 

The infection vector of recent campaigns

It leverages publicly accessible IIS servers to deploy the Godzilla webshell, granting initial access. Subsequently, they introduce the StealthVector, Cobalt Strike, and SneakCross backdoors using this foothold. 

To maintain persistent control, the group establishes reverse tunnels via publicly available tools and employs MEGAcmd for potential data exfiltration. 

Earth Baku employs StealthVector, a custom backdoor loader, to silently deploy its backdoor components. This year, the threat actor expanded its arsenal with CobaltStrike and SneakCross (alias MoonWalk) loaders indicate a strategic shift towards more versatile and potentially evasive techniques for initial access and subsequent command-and-control operations. 

Obfuscated main function by code virtualizer

The newly discovered StealthVector malware closely resembles its 2021 predecessor, maintaining a similar configuration structure while adopting AES encryption in place of custom ChaCha20. 

To evade detection, the malware disables Event Tracing for Windows and Control Flow Guard, hollowing legitimate DLLs to conceal malicious code and ensuring stealthy execution of backdoor components. 

StealthReacher, an evolution of StealthVector, employs advanced obfuscation like FNV1-a to evade defenses by utilizing AES encryption and MD5 hashing for payload protection. Unlike its predecessor, StealthReacher serves as the exclusive loader for the new modular backdoor, SneakCross. 

Both malware variants implement a dynamic re-encryption layer using XOR and the victim’s computer name, significantly hindering digital forensic analysis due to the complexity of decrypting time-variant payloads. 

Map chart for Earth Baku’s scope of potential impact

According to Trend Micro, SneakCross, a modular backdoor succeeding ScrambleCross, leverages Google services for C2 communication and employs Windows Fibers to evade detection. 

Its modular architecture supports diverse functionalities through at least 15 identified plugins, encompassing shell, file, and process operations, network probing and manipulation, screen capture, system information gathering, keylogging, Active Directory interaction, file upload, RDP, DNS control, registry modification, and more. 

By employing sophisticated tactics, Earth Baku leverages tools like customized iox, Rakshasa, and Tailscale for persistent access while utilizing Megacmd for exfiltrating stolen data. 

The group has expanded its operations beyond the Indo-Pacific, demonstrating advanced capabilities with tools like Godzilla Webshell, StealthVector, StealthReacher, and SneakCross for initial access, lateral movement, and command-and-control. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here