Trend Micro uncovers Earth Krahang hackers exploiting intergovernmental trust for cross-government attacks

Trend Micro researchers disclosed that since early 2022 they have been tracking Earth Krahang, an APT (advanced persistent threat) campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa. The cyber hacker leverages vulnerabilities in public-facing servers and employs spear-phishing emails to distribute newly discovered backdoors.

“Our research allowed us to identify the campaign’s multiple connections with a China-nexus threat actor we track as Earth Lusca,” Joseph C Chen and Daniel Lunghi, Trend Micro threat researchers, wrote in a company blog post. “However, since the campaign employs independent infrastructure and unique backdoors, we believe it to be a separate intrusion set that we named Earth Krahang. We will examine these connections, as well as potential links to a Chinese company named I-Soon, in a separate section.”

The firm highlighted that  Earth Krahang APT hackers affected approximately 70 different victims (organizations that were confirmed to be compromised) spread across 23 different countries. “Since we had access to some of Earth Krahang’s logs, we were also able to identify 116 different targets (including those that were not confirmed to be compromised) in 35 countries,” it added.

“Government organizations seem to be Earth Krahang’s primary targets. As an example, in the case of one country, we found that the threat actor compromised a diverse range of organizations belonging to 11 different government ministries,” Trend Micro noted. “We found that at least 48 government organizations were compromised, with a further 49 other government entities being targeted. Foreign Affairs ministries and departments were a top target, compromising 10 such organizations and targeting five others.”

They highlighted that one of the threat actors’ favorite tactics involves using its malicious access to government infrastructure to attack other government entities, abusing the infrastructure to host malicious payloads, proxy attack traffic, and sending spear-phishing emails to government-related targets using compromised government email accounts. 

“Earth Krahang also uses other tactics, such as building VPN servers on compromised public-facing servers to establish access into the private network of victims and performing brute-force attacks to obtain email credentials,” Trend Micro identified. “These credentials are then used to exfiltrate victim emails, with the group’s ultimate goal being cyber espionage. Due to mistakes on the attacker’s side, we managed to retrieve multiple files from Earth Krahang’s servers, including samples, configuration files, and log files from its attack tools.” 

They added that “combining this information with our telemetry helped us understand the Earth Krahang operation and build a clear view of the threat actor’s victimology and interests.”

The post detailed that one of the infection vectors used involves the scanning of public-facing servers. “Earth Krahang heavily employs open-source scanning tools that perform recursive searches of folders such as [dot]git or [dot]idea.” 

Furthermore, the hacker also resorts to simply brute-forcing directories to help identify files that may contain sensitive information such as file paths or passwords on the victim’s servers. They also tend to examine the subdomains of their targets to find interesting and possible unmaintained servers. 

Earth Krahang also conducts vulnerability scanning with tools like ‘sqlmap,’ ‘nuclei,’ ‘xray,’ ‘vscan,’ ‘pocsuite,’ and ‘wordpressscan’ to find web server vulnerabilities that will allow them to access the server, drop web shells, and install backdoors.

Trend Micro said that Earth Krahang also makes use of spear-phishing emails to attack its targets. “Like most spear phishing attacks, the emails are intended to trick their targets into opening attachments or embedded URL links that ultimately lead to the execution of a prepared backdoor file on the victim’s machine. Our telemetry data and some of the group’s backdoors uploaded on VirusTotal revealed that the backdoor filenames are usually related to geopolitical topics,” it added.

Earth Krahang abuses the trust between governments to conduct their attacks, the post added. “We found that the group frequently uses compromised government webservers to host their backdoors and send download links to other government entities via spear phishing emails. Since the malicious link uses a legitimate government domain of the compromised server, it will appear less suspicious to targets and may even bypass some domain blacklists.”

Its telemetry also showed that the threat actor compromised a government web server and leveraged it to scan vulnerabilities in other government targets.

Initially, Trend Micro said that it “had no attribution for this campaign since we found no infrastructure overlaps, and had never seen the RESHELL malware family before. Palo Alto published a report that attributes, with moderate confidence, a particular cluster using RESHELL malware to GALLIUM.” 

However, it added that the assessment is based on a toolset that is shared among many different threat actors, and “we were hesitant to use this link for proper attribution.  We also considered the possibility that RESHELL is a shared malware family.”

In conclusion, Trend Micro said that they were also able to identify two unique malware families used in Earth Krahang’s attacks while also illustrating the larger picture involving the group’s targets and malicious activities through its telemetry data and the exposed files on their servers.

“Our investigation also identified multiple links between Earth Krahang and Earth Lusca. We suspected these two intrusion sets are managed by the same threat actor,” the post detailed. “Given the importance of Earth Krahang’s targets and their preference of using compromised government email accounts, we strongly advise organizations to adhere to security best practices, including educating employees and other individuals involved with the organization on how to avoid social engineering attacks, such as developing a healthy skepticism when it involves potential security issues, and developing habits such as refraining from clicking on links or opening attachments without verification from the sender.” 

Furthermore, given the threat actor’s exploitation of vulnerabilities in its attacks, “we also encourage organizations to update their software and systems with the latest security patches to avoid any potential compromise,” it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.