June 18, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple D-Link Products Vulnerabilities
September 23, 2024
Software Developers Targeted by New PondRAT Malware Hiding in Python Packages – Active IOCs
September 23, 2024
Multiple D-Link Products Vulnerabilities
September 23, 2024
Software Developers Targeted by New PondRAT Malware Hiding in Python Packages – Active IOCs
September 23, 2024
Severity
High
Analysis Summary
A Chinese-based advanced persistent threat (APT) used a recently fixed severe vulnerability affecting OSGeo GeoServer GeoTools to attack a government agency in Taiwan and probably other countries in the Asia-Pacific (APAC) region.
Cybersecurity researchers discovered the intrusion activity in July 2024, and it has been linked to a threat actor known as Earth Baxia. The targets appear to be mostly government organizations, communications companies, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand, based on the phishing emails, fake documents, and incident observations gathered. China is likely among the impacted nations as well, given the finding of lure documents in Simplified Chinese, though the cybersecurity researchers stated they lack sufficient information to identify which industries within the nation have been targeted.
In an attempt to weaken the victim's defenses, the threat actor uses AppDomainManager injection and GrimResource to deliver more payloads. The first technique uses a spoof MSC file called RIPCOY that is attached to a ZIP file to download next-stage malware. It's important to note that a Japanese cybersecurity firm recently disclosed an activity cluster linked to APT41, claiming that the same two approaches were employed to target Vietnamese energy organizations, Taiwan, and the military of the Philippines.
Given the similarity of the Cobalt Strike command-and-control (C2) domains used by these two intrusion sets—such as "s3cloud-azure," "s2cloud-amazon," "s3bucket-azure," and "s3cloud-azure”, it is most likely related. The ultimate objective of the attacks is to install a customized version of Cobalt Strike, which serves as a DLL side-loading launchpad for the EAGLEDOOR backdoor ("Eagle.dll").
The malware can connect to the C2 server via TCP, TCP/IP, DNS, and Telegram in four different ways. The victim status is transmitted using the first three protocols, but the main functionality—which includes the ability to upload and download files as well as run additional payloads—is achieved through the Telegram Bot API. Curl.exe is used to exfiltrate the collected data.
Earth Baxia, most likely with headquarters in China, ran a cunning operation that targeted the energy and government sectors throughout several APAC nations. They employed cutting-edge methods to infiltrate and exfiltrate data, including spear-phishing, GeoServer exploitation, and bespoke malware (Cobalt Strike and EAGLEDOOR). The fact that malicious files are hosted on public cloud services and that EAGLEDOOR supports multiple protocols demonstrate how flexible and intricate their business practices are.
Impact
- Sensitive Data Theft
- Data Exfiltration
- Cyber Espionage
Indicators of Compromise
Domain Name
- status.s3cloud-azure.com
- api.s2cloud-amazon.com
- visualstudio-microsoft.com
- us2.s3bucket-azure.online
- static.trendmicrotech.com
- rocean.oca.pics
- static.krislab.site
- ms1.hinet.lat
- msa.hinet.ink
IP
- 167.172.89.142
- 167.172.84.142
- 152.42.243.170
- 188.166.252.85
MD5
- 249c2d77aa53c36b619bdfbf02a817e5
- 8ccc4ccb2d53f699bca2cfc801b300b5
- e51f2ea5a877e3638457e01bf46a20e1
- 55689e6075629b68798c1feb2d168516
- 9bbb096a052ad6e4055b39f2c9216026
- 9f376a334f9362c6c316a56e2ffd4971
SHA-256
- 4edc77c3586ccc255460f047bd337b2d09e2339e3b0b0c92d68cddedf2ac1e54
- 6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce
- 1e6c661d6981c0fa56c011c29536e57d21545fd11205eddf9218269ddf53d448
- 04b336c3bcfe027436f36dfc73a173c37c66288c7160651b11561b39ce2cd25e
- c78a02fa928ed8f83bda56d4b269152074f512c2cb73d59b2029bfc50ac2b8bc
- 1c13e6b1f57de9aa10441f63f076b7b6bd6e73d180e70e6148b3e551260e31ee
SHA-1
- 9833566856f924e4a60e4dd6a06bf9859061f4be
- a4c2f1d0dbd7509d57f9782e54d52df2abf04d0c
- d9b814f53e82f686d84647b7d390804b331f1583
- b357eed1a320773ba4bb551dcb31bca9eb591aa1
- e2b0c45beadff54771a0ad581670a10e76dc4cf1
- dce0a4c008ea7c02d768bc7fd5a910e79781f925
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
- Carefully check the URLs before entering credentials or downloading software.
- Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
- Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
- Never trust or open links and attachments received from unknown sources/senders.