Earth Kasha is associated with the sole use of LODEINFO and NOOPDOOR, whereas Earth Tengshe is connected to campaigns that distribute SigLoader and SodaMaster. Both subgroups have been seen focusing on applications visible to the public to steal data and information from the network. Another cluster dubbed Bronze Starlight (also known as Emperor Dragonfly or Storm-0401) is thought to be connected to Earth Tengshe. This cluster is known for running ransomware families that include LockFile, Atom Silo, Rook, Night Sky, Pandora, and Cheerscrypt.

However, since April 2023, it has been discovered that Earth Kasha has changed its initial access techniques. Specifically, it has been using unpatched vulnerabilities in instances of Array AG (CVE-2023-28461), Fortinet (CVE-2023-27997), and Proself (CVE-2023-45727) to disseminate LODEINFO and NOOPDOOR (also known as HiddenFace).

Many commands are included with LODEINFO, allowing you to log keystrokes, capture snapshots, end processes, execute arbitrary shellcode, and exfiltrate files back to a server under actor control. With code resemblances to another APT10 backdoor called ANEL Loader, NOOPDOOR allows users to upload and download data, run shellcode, and launch additional applications. NOOPDOOR functions as a secondary backdoor and LODEINFO looks to be the principal backdoor, maintaining persistence within the infiltrated business network for almost two years. Threat actors abuse scheduled tasks to be persistent in the environment.

Impact

• Sensitive Data Theft
• Unauthorized Access
• Code Execution
• Cyber Espionage

Indicators of Compromise

IP

• 45.66.217.106
• 89.233.109.69
• 45.77.12.212
• 108.160.130.45
• 207.148.97.235
• 95.85.91.15
• 64.176.214.51
• 168.100.8.103
• 45.76.222.130
• 45.77.183.161
• 207.148.90.45
• 207.148.103.42

MD5

• 4f1c68d2fe3b0255e706e4c7de0a739f
• 213f4f64aa92b5cc06c2f38bd28f0d6c

SHA-256

• 93af6afb47f4c42bc0da3eedc6ecb9054134f4a47ef0add0d285404984011072
• 4f932d6e21fdd0072aba61203c7319693e490adbd9e93a49b0fe870d4d0aed71

SHA-1

• ca38f3f51a6739d9606dee27849a31775eb1d871
• d0a4d4f1bd228ce845817b17aa1989d9fee9d216

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions on time. Using a multi-layered protection is necessary to secure vulnerable assets.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Enable two-factor authentication.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Implement thorough background checks, including identity verification and digital footprint analysis.
• Use biometric authentication and other advanced techniques to confirm the identity of remote workers.