Earth Yako is an intrusion set linked to Operation RestyLink/EneLink, with newly observed TTPs and infrastructure for cyberespionage against Japanese researchers and think tanks (also some Taiwan targets). The campaign features multiple malware families (MirrorKey, TransBox, PlugBox, Dulload, PULink, ShellBox) leveraging Dropbox API for data theft and C2, plus a dynamically evolving attack surface and attribution considerations. #EarthYako #MirrorKey
Keypoints
- Earth Yako is an intrusion set active since 2021–2023 and attributed to Operation RestyLink/Enelink, with ongoing activity as of January 2023.
- Targets are primarily researchers in Japan’s academia and think tanks, with some attacks affecting organizations in Taiwan.
- Initial access is through spearphishing emails masquerading as invitations, leading to downloads of .zip/.iso archives containing a .lnk to download a payload.
- New malware/tools observed include MirrorKey, TransBox, PlugBox, Dulload, PULink, and ShellBox, many using the Dropbox API for C2 and data theft.
- MirrorKey uses DLL sideloading (OFFCLN.EXE loads DWINTL.DLL) and CVE-2013-3900 to embed encrypted payloads; payloads are decrypted with AES128-ECB.
- TransBox is a Dropbox API-based backdoor that collects system data, exfiltrates via Dropbox, and can upload credentials from browsers.
- PlugBox expands Dropbox-based backdoor tactics with OAuth-like tokens to access Dropbox and receive commands; ShellBox uses a GitHub-hosted token workflow to obtain a second-stage URL and drop encrypted payloads from Dropbox.
MITRE Techniques
- [T1566.002] Phishing – “In this campaign, Earth Yako uses a spearphishing for entry, with the URL in the email body leading the target to download a .zip or .iso file when clicked.”
- [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – Mirrors Key is loaded via OFFCLN.EXE and loads DWINTL.DLL in the same directory for execution; “This DLL is loaded by OFFCLN.EXE, which is a legitimate Microsoft application but used for DLL sideloading to load OCLEAN.DLL in the same directory on execution.”
- [T1203] Exploitation for Client Execution – CVE-2013-3900 used to embed arbitrary data in a legitimate signature; “CVE-2013-3900 is a vulnerability that does not properly validate the executable (PE) file digest during Authenticode Signature validation, which can be abused by an attacker to embed arbitrary data at the end of a legitimate digital signature.”
- [T1027] Obfuscated/Compressed Files and Information – Data embedded at the end of files and encrypted payload data; “two types of data were embedded: an encrypted payload and data for decryption.”
- [T1082] System Information Discovery – TransBox collects drive, host name, OS version, and IP address; “system information from the infected machine is collected, such as drive-related information, host name, operating system (OS) version, and IP address.”
- [T1132] Data Encoding – Use of zlib compression and 1-byte XOR encoding before uploading data; “compressed with zlib and encoded with 1-byte XOR cipher.”
- [T1071.004] Application Layer Protocol: Web Services – Dropbox-based C2/Exfiltration; “uploads to the attacker’s Dropbox account” and command retrieval via Dropbox API endpoints; “Receiving commands” via Dropbox URLs.
- [T1555.003] Credentials from Web Browsers – PlugBox/TransBox upload browser credentials (Chrome/Firefox) as part of data theft.
- [T1547.001] Boot or Logon Autostart: Startup Folder – PULink creates a shortcut in the Startup folder for persistence; “a shortcut file in the Startup folder to achieve persistence.”
- [T1055] Process Injection – Malware components loaded in memory and executed (e.g., TransBox loaded and started via MirrorKey); “dynamically loaded in the memory” and “starts executing when the export function… is called.”
- [T1036] Masquerading – Use of legitimate binaries and DLLs (and DLL sideloading) to appear legitimate; implied by OFFCLN.EXE/DWINTL.DLL usage.
Indicators of Compromise
- [SHA256] Detection – f38c367e6e4e7f6e20fa7a3ce0d8501277f5027f93e46761e72c36ec709f4304, bdc15b09b78093a1a5503a1a7bfb487f7ef4ca2cb8b4d1d1bdf9a54cdc87fae4
- [Domains/IP addresses] – driveshoster[.]com, disknxt[.]com, 45[.]32[.]13[.]214, and hxxps://github[.]com/lettermaker/topsuggestions/blob/main/README.md