The government and the telecommunications sectors in Southeast Asia were the goal of a “complex” company that is carried out by a new advanced sustainable threat (APT) called Land kurma Since June 2024.
The attacks, for the micro trend, use custom malware, cortical and cloud data storage services for data expressing. Philippines, Vietnam, Thailand and Malaysia are some of the famous goals.
“This company presents high business riches due to focused espionage, accounts, permanent fixing, installed through rootkits at the kernel level, and data exchanage through trusted cloud platform – Note in an analysis published last week.
The actor threatens dates from November 2020, and the invasion first relies on services such as Dropbox and Microsoft OneDrive to get data that Siphon is using tools such as Tesdat and Simpoboxspy.
Two other characteristic families of malware in their arsenal include rootkits such as Krnrat and SeaThe latter previously observed in the attacks aimed at high -profile organizations in Asia and Africa as part of a espional company called Tunnelsnake.
Trend Micro also said that SimpoboxSpy and the Express scenario used in the attacks Melt. However, the ultimate attribution remains unconvincing.
It is currently unknown how the actors threaten initial access to the target conditions. The initial fixing then abuses scanning and lateral motion using different tools such as NBTSCAN, Ladon, FRPC, WMIHACKER and ICMPINGER. Also detailed keys called KMLOG for credentials.
It should be noted that the use of an open source bone Awning Frame was before attributed to the Chinese hacking group called TA428 (aka the vicious panda).
The stubborn hosts are carried out by three different strains of loaders called Dunloader, Tesdat and Dmloader, which are able to load a useful load in memory and perform them. They consist of Cobalt Strike, Rootkits, such as Krnrat and Moriya, as well as malicious exfiltration software.
Distinguished by these attacks, this is the use of the techniques without missing (Lotl) to install Rootkits, where hackers use legitimate system tools and features, in this case, syssetup.dll, rather than enter a light detected malicious software.
While Moriya is designed to check the input packages TCP for the presence of a malicious load and the introduction of the shell into the recently ordered “Svchost.exe”, Krnrat is a combination of five different projects with open source options such as manipulation of the process Commander-Arrol).
Krnrat, like the Moriya, is also designed to download the rootkit user agent and the introduction of “Svchost.exe”. The user’s agent serves as the back to obtain the next useful load from the C2 server.
“Before highlighting the files, multiple Tesdat loader teams collected certain documents files followed by the following extensions: .pdf, .Docx, .xls, .xls, .PPTX,” the researchers said. “The documents are first placed in a recently created folder called” TMP “, which is then archived using a Winrar with a specific password.”
One of the order tools used for exfiltration is SimpoboxSpy, which can download the RAR archive to Dropbox with a specific access marker. According to the Kasperksy report since October 2023, Total Dropbox “Probably not used solely Toddycat.”
Odriz, another program used for the same purpose, downloads the collected information in OneDrive, indicating the OneDrive Update Marker as an input option.
“The Earth Kurma remains very active, continuing to target southeastern Asian countries,” said Trend Micro. “They have the opportunity to adapt to the victims and maintain a hidden presence.”
“They can also re -use the same code database from previously identified companies to customize their tool kits, sometimes even using the victim infrastructure to achieve their goals.”
