Analysis Summary

Earth Kurma, a newly identified advanced persistent threat (APT) group, has been actively targeting the government and telecommunications sectors in Southeast Asia.

According to Researchers, the campaign is highly sophisticated, leveraging custom malware, kernel-level rootkits, and trusted cloud storage services like Dropbox and Microsoft OneDrive for espionage and data exfiltration. Threat actors have been active since at least November 2020, using tools like TESDAT and SIMPOBOXSPY for data theft. Notably, overlaps between SIMPOBOXSPY and techniques used by the ToddyCat APT group were observed, although definitive attribution to any known group remains unconfirmed.

The initial access method is still unknown, but once inside, Earth Kurma conducts network scanning and lateral movement using tools such as NBTSCAN, Ladon, FRPC, WMIHACKER, and ICMPinger, while harvesting credentials with a custom keylogger called KMLOG. Persistence is maintained through loaders like DUNLOADER, TESDAT, and DMLOADER, which enable in-memory execution of further payloads such as Cobalt Strike Beacons and stealthy rootkits (KRNRAT and Moriya). Particularly notable is their use of living-off-the-land (LotL) techniques, utilizing legitimate system components like syssetup.dll to avoid detection during rootkit installation.

Moriya is engineered to monitor incoming TCP packets and inject shellcode into newly spawned svchost.exe processes, while KRNRAT, a combination of five open-source projects, is capable of file hiding, process manipulation, and stealthy C2 communications. KRNRAT, similar to Moriya, loads a user-mode agent backdoor into svchost.exe, allowing Earth Kurma to maintain a hidden and persistent connection with its command infrastructure. Before exfiltration, TESDAT gathers sensitive documents with specific extensions (.pdf, .doc/.docx, .xls/.xlsx, .ppt/.pptx), moves them to a "tmp" folder, compresses them using WinRAR with a password, and prepares them for upload.

For exfiltration, the group employs custom tools: SIMPOBOXSPY uploads RAR archives to Dropbox using an access token, while ODRIZ uploads to OneDrive using a refresh token. These methods underline Earth Kurma’s preference for abusing legitimate cloud platforms to blend their malicious activity with regular network traffic. Trend Micro highlights that Earth Kurma is highly adaptable, capable of reusing and modifying codebases from earlier operations, sometimes even exploiting compromised victim infrastructure, ensuring their stealthy and resilient presence across Southeast Asia.

Impact

• Sensitive Data Theft
• Privilege Escalation
• Gain Access

Indicators of Compromise

SHA1

• 7e62ee9920d395a513aa4b112ecb22f7b5803be7
• a40a3a6b5073d24f708295f3c43edd8e4e774c06
• e943ea26f16ded692b4f7b588fe0042d154615f2
• e3a5d17b32edecb8dca3783a5193e1289ef13252
• 5f6bcdb04184091c9bc198c175af394cb4303512
• cde8543c1b11cd4741d7a93faa663416666e1226
• 49b5260daa9a920537fb240363e85d49719d6fd4

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Isolate critical systems from general network traffic to limit lateral movement.
• Implement multi-factor authentication (MFA) across all systems, especially for remote access and cloud platforms.
• Keep all software, including operating systems and applications, up to date to mitigate known vulnerabilities that could be exploited by APT groups.
• Continuously monitor cloud storage services (e.g., Dropbox, OneDrive) for abnormal access or data transfer patterns to detect unauthorized exfiltration.
• Use EDR tools to detect and block suspicious activities, including unusual system processes or unauthorized use of legitimate system tools.
• Implement specialized rootkit detection software to identify and remove kernel-level rootkits such as KRNRAT and Moriya.
• Employ behavior-based anomaly detection to identify potential LotL (Living off the Land) tactics, such as the use of legitimate system tools for malicious activities.
• Regularly audit and rotate credentials, especially for critical accounts, to reduce the risk of credential theft.
• Educate staff on phishing tactics and the risks of malicious attachments, to prevent initial compromise.
• Develop and test an incident response plan that includes procedures for quickly identifying, containing, and remediating APT activity.