An alleged Advanced Persistent Threat (APT) originating in China targeted a government organization in Taiwan and possibly other countries in the Asia-Pacific region (APAC) using a recently patched critical security flaw affecting OSGeo GeoServer GeoTools.
The intrusion activity discovered by Trend Micro in July 2024 was attributed to a threat actor named The land of Baxia.
“Based on the collected phishing emails, fraudulent documents, and incident observations, it appears that the primary targets are government agencies, telecommunications companies, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand,” researcher Ted Li, Cyrus Zeng, Pierre Li, Sunny Lu, and Philip Chen said.
The discovery of the attractive simplified Chinese documents indicated that China was also among the affected countries, although the cyber security company said it did not have enough information to determine which sectors within the country were targeted.
The multi-stage chain infection process uses two different techniques, using phishing emails and exploiting a GeoServer flaw (CVE-2024-36401CVSS score: 9.8) to eventually deliver Cobalt Strike and a previously unknown backdoor, code-named EAGLEDOOR, that allows for intelligence gathering and payload delivery.
“The actor uses threats GrimResource and AppDomainManager injection to deploy additional payloads to lower the victim’s defenses,” the researchers noted, adding that the first method is used to download the next stage of the malware via a rogue MSC file called RIPCOY embedded in a ZIP archive.
It is worth mentioning here that recently the Japanese cyber security company NTT Security Holdings in detail activity cluster with links to APT41 which he said used the same two techniques targeting Taiwan, the Philippine military and Vietnamese energy organizations.
The two sets of intrusions are likely related, given Cobalt Strike’s overlapping use of command and control (C2) domains impersonating Amazon Web Services, Microsoft Azure (eg “s3cloud-azure”, “s2cloud-amazon”, “s3bucket-azure” and “s3cloud-azure”), and Trend Micro itself (“trendmicrotech”).
The ultimate goal of the attacks is to deploy a custom variant of Cobalt Strike that acts as a launch pad for the EAGLEDOOR backdoor (“Eagle.dll”) via DLL sideloading.
The malware supports four ways to communicate with the C2 server via DNS, HTTP, TCP, and Telegram. While the first three protocols are used to communicate victim status, the main functionality is implemented through the Telegram Bot API to upload and download files and perform additional payloads. Collected data is exfiltrated through curl.exe.
“Earth Baxia, likely based in China, conducted a sophisticated campaign targeting the public and energy sectors in several countries in the Asia-Pacific region,” the researchers noted.
“They used advanced techniques such as using GeoServer, phishing and customized malware (Cobalt Strike and EAGLEDOOR) to infiltrate and steal data. EAGELDOOR’s use of public cloud services to host malicious files and support for multiple protocols highlight the complexity and adaptability of their operations.”
