Given the similarity of the Cobalt Strike command-and-control (C2) domains used by these two intrusion sets—such as "s3cloud-azure," "s2cloud-amazon," "s3bucket-azure," and "s3cloud-azure”, it is most likely related. The ultimate objective of the attacks is to install a customized version of Cobalt Strike, which serves as a DLL side-loading launchpad for the EAGLEDOOR backdoor ("Eagle.dll").

The malware can connect to the C2 server via TCP, TCP/IP, DNS, and Telegram in four different ways. The victim status is transmitted using the first three protocols, but the main functionality—which includes the ability to upload and download files as well as run additional payloads—is achieved through the Telegram Bot API. Curl.exe is used to exfiltrate the collected data.

Earth Baxia, most likely with headquarters in China, ran a cunning operation that targeted the energy and government sectors throughout several APAC nations. They employed cutting-edge methods to infiltrate and exfiltrate data, including spear-phishing, GeoServer exploitation, and bespoke malware (Cobalt Strike and EAGLEDOOR). The fact that malicious files are hosted on public cloud services and that EAGLEDOOR supports multiple protocols demonstrate how flexible and intricate their business practices are.

Impact

• Sensitive Data Theft
• Data Exfiltration
• Cyber Espionage

Indicators of Compromise

Domain Name

• status.s3cloud-azure.com
• api.s2cloud-amazon.com
• visualstudio-microsoft.com
• us2.s3bucket-azure.online
• static.trendmicrotech.com
• rocean.oca.pics
• static.krislab.site
• ms1.hinet.lat
• msa.hinet.ink

IP

• 167.172.89.142
• 167.172.84.142
• 152.42.243.170
• 188.166.252.85

MD5

• 249c2d77aa53c36b619bdfbf02a817e5
• 8ccc4ccb2d53f699bca2cfc801b300b5
• e51f2ea5a877e3638457e01bf46a20e1
• 55689e6075629b68798c1feb2d168516
• 9bbb096a052ad6e4055b39f2c9216026
• 9f376a334f9362c6c316a56e2ffd4971

SHA-256

• 4edc77c3586ccc255460f047bd337b2d09e2339e3b0b0c92d68cddedf2ac1e54
• 6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce
• 1e6c661d6981c0fa56c011c29536e57d21545fd11205eddf9218269ddf53d448
• 04b336c3bcfe027436f36dfc73a173c37c66288c7160651b11561b39ce2cd25e
• c78a02fa928ed8f83bda56d4b269152074f512c2cb73d59b2029bfc50ac2b8bc
• 1c13e6b1f57de9aa10441f63f076b7b6bd6e73d180e70e6148b3e551260e31ee

SHA-1

• 9833566856f924e4a60e4dd6a06bf9859061f4be
• a4c2f1d0dbd7509d57f9782e54d52df2abf04d0c
• d9b814f53e82f686d84647b7d390804b331f1583
• b357eed1a320773ba4bb551dcb31bca9eb591aa1
• e2b0c45beadff54771a0ad581670a10e76dc4cf1
• dce0a4c008ea7c02d768bc7fd5a910e79781f925

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Carefully check the URLs before entering credentials or downloading software.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.