Earth Aughisky (Taidoor) remains a long-running APT, gradually adapting its malware toolkit across Taiwan and Japan. The post catalogs Earth Aughisky’s malware families, their connections to other groups, and potential strategic shifts, highlighting a broader ecosystem around Roudan, LuckDLL, GrubbyRAT, Taikite, SiyBot, and Taleret.
Read more: https://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html
#EarthAughisky #Taidoor #Roudan #LuckDLL #GrubbyRAT #Taikite #SiyBot #Taleret #ASRWEC #Gubb #30Boxes
Read more: https://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html
#EarthAughisky #Taidoor #Roudan #LuckDLL #GrubbyRAT #Taikite #SiyBot #Taleret #ASRWEC #Gubb #30Boxes
Keypoints
- Earth Aughisky (Taidoor) remains active for over a decade with targets in Taiwan and Japan.
- The research catalogs multiple Earth Aughisky malware families (Roudan/Taidoor, LuckDLL, GrubbyRAT, Taikite, SiyBot, Taleret) and notes overlaps with other APT groups.
- Roudan’s callback traffic uses encoded MAC addresses and data, showing obfuscation of communications.
- LuckDLL is a newer backdoor (post-2020) that embeds a public key in its config and encrypts traffic with a generated session key and IV.
- GrubbyRAT is deployed selectively for high-value targets and is often installed manually after attackers gain admin privileges, sometimes masquerading under existing app folders.
- SiyBot abuses legacy public services (Gubb and 30 Boxes) for C2 and contains credentials (e.g., 30 Boxes) in its malware configuration.
- There are overlaps in C2 infrastructure and shared artifacts (hashes, logs, blog hosts) among Roudan, SiyBot, and Taleret, indicating a connected ecosystem.
MITRE Techniques
- [T1027] Obfuscated/Compressed Data – Roudan’s callback traffic contains an encoded MAC address and data, e.g., ‘encoded MAC address and data’.
- [T1132] Data Encoding – Taikite’s C2 traffic is encoded in Base64, e.g., ‘C&C callback traffic is encoded in Base64’.
- [T1573] Encrypted Channel – LuckDLL uses a public key to encrypt the session key and IV and encrypts traffic, e.g., ‘generate a random session key and initialization vector (IV) to encrypt the traffic’ and ‘The public key encrypts the session key and IV during initial communication’.
- [T1071.001] Web Protocols – SiyBot uses public services like Gubb and 30 Boxes to perform C&C communication, e.g., ‘abuses earlier versions of public services such as Gubb and 30 Boxes to perform C&C communication’.
- [T1068] Exploitation for Privilege Escalation – GrubbyRAT is installed manually after the threat actor has gained administrative privileges and control in the infected system, e.g., ‘installed manually and after the threat actor has gained administrative privileges’.
- [T1036] Masquerading – The configuration file is installed under an existing application or system folder and uses the same file name as the component, e.g., ‘uses the same file name as the component’.
- [T1552.001] Credentials in Configuration – 30 Boxes credential embedded in the malware configuration, e.g., ‘Embedded 30 Boxes credential in the malware’.
Indicators of Compromise
- [Credential] – 30 Boxes credential embedded in malware configuration, and a credential or token found in the malware configuration
- [Tool/Downloader] – ASRWEC downloader payload observed in the same repository as related Earth Aughisky tools
- [PDB/String] – Taikite sample includes a .pdb string observed in Taiwan samples
- [C2 Domain/Service] – C2 via public services such as Gubb and 30 Boxes used by SiyBot for command-and-control
Read more: https://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html