Earth Baku Expands Cyber Attacks Globally: New Targets and Advanced Techniques Revealed

The China-backed threat actor known as Earth Baku has notably expanded its cyber operations, shifting its focus from the Indo-Pacific region to a broader array of targets across Europe, the Middle East, and Africa starting in late 2022. This expansion reflects a significant evolution in the group’s targeting strategy and techniques.

New Target Regions and Sectors

Recent investigations have revealed that Earth Baku has begun to target several new countries, including Italy, Germany, the United Arab Emirates (U.A.E.), and Qatar. There are also indications of suspected attacks in Georgia and Romania. The sectors under attack span a wide range of critical infrastructures, such as government institutions, media and communications, telecoms, technology, healthcare, and education.

Updated Tools and Tactics

According to a detailed analysis by Trend Micro researchers Ted Lee and Theo Chen, Earth Baku has refined its tools, tactics, and procedures (TTPs) in recent campaigns. The group now employs public-facing applications, like Internet Information Services (IIS) servers, as initial entry points for their attacks. Once inside, they deploy sophisticated malware toolsets to maintain access and conduct their operations within the victim’s environment.

This approach marks a significant shift from their previous methods. Trend Micro’s findings build upon recent reports from Zscaler and Google-owned Mandiant, which have documented the threat actor’s use of various malware families. Trend Micro has assigned the names StealthReacher and SneakCross to these new tools.

Malware Families and Techniques

Earth Baku, linked with the advanced persistent threat group APT41, has been known for using the StealthVector backdoor loader since October 2020. Attack chains typically begin with exploiting vulnerabilities in public-facing applications to deploy the Godzilla web shell. This shell then facilitates the delivery of additional payloads.

StealthReacher is an enhanced version of StealthVector, designed to launch SneakCross—a modular implant and successor to ScrambleCross. SneakCross utilizes Google services for command-and-control (C2) communications, reflecting a sophisticated evolution in their malware capabilities.

The group’s activities are characterized by a combination of advanced post-exploitation tools. These include:

• iox: A tool used for post-exploitation activities.
• Rakshasa: Another post-exploitation tool employed by Earth Baku.
• Tailscale: A Virtual Private Network (VPN) service used for persistence within compromised networks.
• MEGAcmd: A command-line utility used for exfiltrating sensitive data to MEGA cloud storage.

Implications and Responses

The expansion of Earth Baku’s operations to new regions and sectors underscores the increasing sophistication and global reach of cyber threat actors. Their use of advanced and diverse malware tools highlights the need for robust cybersecurity measures and vigilance. Organizations across the targeted regions are advised to enhance their defenses and be aware of the evolving threat landscape.

In summary, Earth Baku’s recent activities reflect a significant escalation in their cyber operations, utilizing advanced techniques and tools to broaden their impact. As the group continues to refine its methods, the cybersecurity community must stay alert and adapt to these emerging threats.