🇨🇳

Earth Baxia

APT Group Information theft and espionage 4 zero-day CVEs ETDA ✓

Also Known As

No alias recorded

Target Countries 7

Countries highlighted in red

China Japan Republic of Korea Philippines Thailand Province of China Taiwan Vietnam

Sectors Targeted

National Security and International Affairs 928 Government Public Administration 92 Telecommunications 517 Utilities 22 Energy

Details

Origin 🇨🇳 CN

Last Updated 23 Sep 2024

MITRE ATT&CK 60

T1021.002 - SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027-Obfuscated Files or Information T1036.004 - Masquerade Task or Service T1036.004-Masquerade Task or Service T1041 - Exfiltration Over C2 Channel T1055 - Process Injection T1055-Process Injection T1056 - Input Capture T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.001-PowerShell T1068 - Exploitation for Privilege Escalation T1070.004 - File Deletion T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.001-Web Protocols T1071.003 - Mail Protocols T1071.003-Mail Protocols T1071.004 - DNS T1071.004-DNS T1078 - Valid Accounts T1102 - Web Service T1102.002 - Bidirectional Communication T1102.002-Bidirectional Communication T1106 - Native API T1127 - Trusted Developer Utilities Proxy Execution T1140 - Deobfuscate/Decode Files or Information T1140-Deobfuscate T1190 - Exploit Public-Facing Application T1190-Exploit Public T1218.011 - Rundll32 T1486 - Data Encrypted for Impact T1490 - Inhibit System Recovery T1543.003 - Windows Service T1547 - Boot or Logon Autostart Execution T1547.009 - Shortcut Modification T1547.009-Shortcut Modification T1553 - Subvert Trust Controls T1562.001 - Disable or Modify Tools T1566 - Phishing T1566.001 - Spearphishing Attachment T1566.001-Spearphishing Attachment T1566.002 - Spearphishing Link T1570 - Lateral Tool Transfer T1573 - Encrypted Channel T1573.001 - Symmetric Cryptography T1573.001-Symmetric Cryptography T1574 - Hijack Execution Flow T1574.002 - DLL Side-Loading T1584.006 - Web Services T1584.006-Web Services T1587.001 - Malware T1587.001-Malware T1587.003 - Digital Certificates T1587.003-Digital Certificates T1588.001 - Malware T1588.001-Malware T1588.002 - Tool T1588.002-Tool

Related Zero-Days 4

CVE-2021-26855 CVE-2021-26857 CVE-2021-26858 CVE-2021-27065

Known Names 1 entries

Earth Baxia Trend Micro

Observed Target Countries 6

Based on ETDA data — countries highlighted in red

China Philippines South Korea Taiwan Thailand Vietnam

Description

(Trend Micro) In July, we observed suspicious activity targeting a government organization in Taiwan, with other APAC countries also likely targeted, attributed to the threat actor Earth Baxia. In these campaigns, Earth Baxia used spear-phishing emails and exploited CVE-2024-36401, a vulnerability in an open-source server for sharing geospatial data called GeoServer, as initial access vectors, deploying customized Cobalt Strike components on compromised machines. Additionally, we identified a new backdoor called EAGLEDOOR that supports multiple protocols. In this report, we will discuss their infection chain and provide a detailed analysis of the malware involved.

Tools Used 2

Cobalt Strike EAGLEDOOR

Reports & References 2

https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html https://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html

ETDA Profile

Earth Baxia

Origin

China

First Seen 2024

Motivation

Information theft and espionage

View on ETDA APT Groups ↗