Beijing-backed cyberspies attacked 70+ orgs across 23 countries
Plus potential links to I-Soon, researchers say
Chinese cyberspies have compromised at least 70 organizations, mostly government entities, and targeted more than 116 victims across the globe, according to security researchers.
The Beijing-backed hacking crew, dubbed Earth Krahang, exploits public-facing servers and uses phishing emails to deploy two custom backdoors, according to Trend Micro, which has been monitoring the cyberespionage campaign since early 2022.
"One of the threat actor's favorite tactics involves using its malicious access to government infrastructure to attack other government entities, abusing the infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets using compromised government email accounts," Joseph Chen and Daniel Lunghi said in research published on Monday.
Earth Krahang also uses brute-force attacks to obtain credentials and steal victims' emails, we're told.
While government organizations seem to be the gang's primary focus — the security shop says it found at least 48 compromised government entities with another 49 being targeted — it also goes after education, telecommunications and other sectors.
These victims were spread across 23 different countries, mostly in Asia and America, but also in Europe and Africa.
Earth Krahang shares "multiple" connections with another China state-backed gang, Earth Lusca, and potential links to I-Soon, the Chinese security contractor that recently had a trove of documents leaked on GitHub. The files contained extensive details about Beijing's extensive hacking campaigns against foreign governments.
"Using this leaked information, we found that the company organized their penetration team into two different subgroups," according to Trend, which theorizes that Earth Lusca and Earth Krahang could be I-Soon's two penetration teams.
The cyberspies use open-source scanning tools to find public-facing servers it can compromise. They also use vulnerability-scanning tools including sqlmap, nuclei, xray, vscan, pocsuite, and wordpressscan to find entry points into web servers, from which they can drop web shells and install backdoors.
Trend says it has spotted Earth Krahang exploiting CVE-2023-32315 in OpenFire and CVE-2022-21587 in Oracle Web Applications Desktop Integrator "multiple times."
It also uses phishing emails with geopolitical-themed lures intended to trick targets into opening a malicious attachment or clicking on a URL, both of which allow the hacking crew to backdoor the victim's machine.
Some of the email subjects being used include "Malaysian Ministry of Defense Circular," "Malaysian defense minister visits Hungary," and "ICJ public hearings- Guyana vs. Venezuela."
- Forget TikTok – Chinese spies want to steal IP by backdooring digital locks
- Possible China link to Change Healthcare ransomware attack
- Congress told how Chinese goons plan to incite 'societal chaos' in the US
- China's Volt Typhoon spies broke into emergency network of 'large' US city
Earth Krahang typically steals hundreds of email addresses from its victims, and then uses the compromised accounts to phish other government targets. "In one case, the actor used a compromised mailbox from a government entity to send a malicious attachment to 796 email addresses belonging to the same entity," Chen and Lunghi wrote.
The gang also installs the SoftEther VPN on compromised public-facing servers, which allows it to connect to the victim's network and move laterally, install backdoors to maintain persistence, and access credentials.
While it does use Cobalt Strike, Earth Krahang also has two custom backdoors, RESHELL and XDealer, that it uses in attacks.
RESHELL, a .NET backdoor that can collect information, drop files and execute system commands, was used several times in 2022. Previously, Palo Alto Networks' Unit 42 documented its use in a targeted attack against a Southeast Asian government.
Since 2023, however, Earth Krahang has been using XDealer [PDF], also tracked as DinodasRAT, which has more capabilities and can target both Windows and Linux machines:
It's worth noting that many early XDealer samples were developed as a DLL file packaged with an installer, a stealer module DLL, a text file contents ID string, and an LNK file. The LNK file executes the installer, which then installs the XDealer DLL and the stealer module DLL on the victim's machine. The stealer module can take screenshots, steal clipboard data, and log keystrokes.
There's a whole list of indicators of compromise that organizations, especially government entities, should check out here.
Considering the gang's preference for high-value targets, and their use of compromised government infrastructure for espionage purposes, Trend recommends organizations train their employees on how to avoid phishing and other social engineering attacks. And, as always, strongly advises people not to click on links or open attachments before verifying the sender's identity.
Additionally, make sure software is up-to-date and security patches are installed so as to not give Earth Krahang or any other cybercriminals an easy way to break in. ®