The China-supported hacking group known as Earth Baku has expanded its operational focus, shifting from mainly Indo-Pacific targets to include nations across Europe, the Middle East, and Africa since late 2022.
Countries recently identified as potential targets of this group include Italy, Germany, the United Arab Emirates, and Qatar, with indications of further activity in Georgia and Romania. Various sectors, including government, media, telecommunications, technology, healthcare, and education, have been inferred as likely victims of their cyber intrusions.
According to Trend Micro researchers Ted Lee and Theo Chen, the group has modernized its tools, tactics, and procedures (TTPs) in recent campaigns, utilizing public-facing services such as Internet Information Services (IIS) servers as initial access points for their attacks. Following this, sophisticated malware toolsets are deployed into the compromised environments.
This update builds on findings from Zscaler and Mandiant, revealing Earth Baku’s employment of various malware families including DodgeBox (known as DUSTPAN) and MoonWalk (or DUSTTRAP). Trend Micro researchers have referred to the latest additions as StealthReacher and SneakCross.
Earth Baku, which is linked to APT41, is noted for its usage of StealthVector since October 2020. Their attack methodologies typically involve exploiting vulnerabilities in public-facing applications to deploy the Godzilla web shell, which facilitates further malicious payload delivery.
StealthReacher has been characterized as an enhanced variant of the StealthVector backdoor loader, used to initiate SneakCross, a modular implant and successor to ScrambleCross, which utilizes Google services for its command-and-control (C2) communications.
Earth Baku’s operations are marked not only by the initial intrusion tactics, but also by the deployment of a suite of post-exploitation tools such as iox, Rakshasa, and a Virtual Private Network service called Tailscale. Data exfiltration is typically executed to MEGA cloud storage utilizing a command-line tool named MEGAcmd.
As highlighted by researchers, Earth Baku has increasingly employed advanced harassment techniques through loaders like StealthVector and StealthReacher, enabling stealthy deployment of backdoor components along with the integration of SneakCross as their latest modular backdoor solution.
In summary, the group has effectively utilized a range of post-exploitation methods, including tailored tools, to maintain persistence within compromised environments and facilitate efficient data exfiltration.
