A China-linked cyberespionage campaign has been targeting government entities across Southeast Asia, Europe, America, and Africa since at least 2022, a new report from cybersecurity firm Trend Micro reveals.
Dubbed ‘Earth Krahang,’ the espionage operation appears to have connection to another China-nexus threat actor tracked as ‘Earth Lusca,’ but is believed to be a separate campaign due to the use of independent infrastructure and unique backdoors.
One of the threat actor’s favorite tactics involves using its malicious access to government infrastructure to attack other government entities, abusing the infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets using compromised government email accounts. Other tactics leveraged by the threat actor include building VPN servers on compromised public-facing servers to establish access to the private network of victims and performing brute-force attacks to obtain email credentials.
The observed campaign involves several infection methods, including the exploitation of vulnerabilities in public-facing servers and spear phishing attacks aiming to deliver two custom backdoors, Reshell and XDealer, as well as the CobaltStrike tool.
Reshell is a simple .NET backdoor able to collect information, drop files, or execute system commands. On the other hand, XDealer (aka DinodasRAT), provides more comprehensive backdoor capabilities. In addition, the researchers found that the threat actor employed both Windows and Linux versions of XDealer to target different systems.
The threat actor employs open-source scanning tools to search for exposed servers. Earth Krahang also conducts vulnerability scanning with tools like sqlmap, nuclei, xray, vscan, pocsuite, and wordpressscan to find web server flaws to compromise the server, drop web shells, and install backdoors. More specifically, the cyberespionage group has been observed exploiting command execution vulnerabilities in OpenFire (CVE-2023-32315) and Oracle Web Applications Desktop Integrator (CVE-2022-21587).
“We noticed that Earth Krahang retrieves hundreds of email addresses from their targets during the reconnaissance phase. In one case, the actor used a compromised mailbox from a government entity to send a malicious attachment to 796 email addresses belonging to the same entity,” the researchers wrote.
Trend Micro said it identified around 70 victim organizations across 23 different countries and 116 different targets (including those that were not confirmed to be compromised) in 35 countries.
In total, the threat actor was able to compromise or target victims in 45 different countries spread across different regions, most of them in Asia and America, but also in Europe and Africa.