The China-backed threat actor is known as Baku land has diversified its target footprint beyond the Indo-Pacific to include Europe, the Middle East and Africa from late 2022.
New countries targeted by the operation include Italy, Germany, the UAE and Qatar, with suspected attacks also detected in Georgia and Romania. Governments, media and communications, telecommunications, technology, healthcare and education are some of the sectors singled out as part of a suite of intrusions.
“The group has updated its tools, tactics and procedures (TTP) in recent campaigns by using public applications such as IIS servers as entry points for attacks, after which they deploy sophisticated malware toolkits in the victim’s environment,” Trend Micro researchers Ted Lee and Theo Chen said in an analysis published last week.
Conclusions are based on recent reports from Zscaler and owned by Google Mandyantwhich also details the threat’s use of malware families such as DodgeBox (aka DUSTPAN) and MoonWalk (aka DUSTTRAP). Trend Micro gave them the nicknames StealthReacher and SneakCross.
Earth Baku, a threat related to APT41, is known for its use of StealthVector as early as October 2020. Attack chains involve the use of publicly available applications to eliminate Godzilla web shell, which is then used to deliver subsequent payloads.
StealthReacher has been classified as an improved version of the StealthVector backdoor loader responsible for launching SneakCross, a modular implant and likely successor ScrambleCross which uses Google services for command and control (C2) communication.
Attacks are also characterized by the use of other post-exploitation tools such as a joke, Rakshasaand a virtual private network (VPN) service known as Tail scale. Extracting sensitive data to MEGA cloud storage is done using a command line utility called MEGAcmd.
“The group used new bootloaders such as StealthVector and StealthReacher to stealthily launch backdoor components, and added SneakCross as the final modular backdoor,” the researchers said.
“Earth Baku also used several tools during its post-exploitation, including iox’s custom tool, Rakshasa, TailScale for preservation, and MEGAcmd for efficient data theft.”
