Trend Micro report
Earth Krahang hackers breach 70 orgs in 23 countries

The first step is to search the Internet for public servers that are connected to government organizations. To find weaknesses, the attacker can use various open source tools like sqlmap, nuclei, xray, vscan, pocsuite, and wordpressscan. The attacker focuses on two specific vulnerabilities: CVE-2023-32315, a command execution vulnerability in the real-time collaboration server Openfire with a CVSS rating of 7.5, and CVE-2022-21587, a critical command execution issue rated 9.8 in Oracle’s E-Business Suite’s Web Applications Desktop Integrator.

Once the group gains access to a public server, they use open source software to search for sensitive files, passwords (especially for email), and other valuable resources, such as neglected subdomains that could lead to more unattended servers. They also use brute force attacks, such as using a list of common passwords to break into Microsoft Exchange servers through Outlook on the Web.

“While it may seem like open source should be easy to detect,” says Jon Clay, vice president of threat intelligence at Trend Micro, “the reality is that there are many TTPs here that have to be found and detected. Also, the use of defense evasion tactics by this adversary can be utilized to ensure the victims are unable to defend.”

Earth Krahang’s Exploitation and Stealth Tactics:

By the end of all this (and much more), the attacker can perform two primary actions: drop backdoors on compromised servers, and hijack email accounts.

The attackers use real email accounts to trick victims into thinking they are safe. By using legitimate accounts and sending emails with convincing subject lines and malicious attachments, they can deceive people.

Whether via email or a vulnerability in a Web server, Earth Krahang’s various targets end up downloading one or multiple backdoors.

In its first attacks around 2022, the group used “RESHELL,” a basic custom .NET tool to gather information, drop files, and run system commands, with AES-encrypted command-and-control (C2) communication.
In 2023, the group started using “XDealer,” a new tool with advanced features like keylogging, taking screenshots, and stealing from the clipboard. XDealer works on both Windows and Linux and some of its loaders have real code-signing certificates, including certificates from a human resources company and a game development company that were likely stolen to make it harder to detect the malware. Trend Micro provided this information.

Earth Krahang has also made use of ancient threats like PlugX and ShadowPad, and it frequently deploys Cobalt Strike in combination with another open source tool (RedGuard) that prevents cybersecurity analysts from pinning down its C2 infrastructure.

Due to the straightforward nature of the threat actor, it is crucial to follow standard best practices for protection against these TTPs. Organizations should strengthen their email security against spear phishing, regularly update and patch systems to defend against known vulnerabilities, and implement network segmentation to restrict an attacker’s movement within their networks. Additionally, monitoring for abnormal network traffic and unusual access patterns can aid in early detection of such campaigns.