A sophisticated APT group known as Earth Kurma is conducting cyberespionage against government and telecommunications organizations in Southeast Asia, primarily utilizing advanced malware, rootkits, and trusted cloud services for data exfiltration. Their operations pose significant risks, including credential theft and prolonged undetected access to sensitive data. Affected: government, telecommunications sectors, Southeast Asia (Philippines, Vietnam, Thailand, Malaysia)
Keypoints :
- Earth Kurma primarily targets government and telecommunications sectors in Southeast Asia.
- The group has been active since November 2020, focusing on cyberespionage and data exfiltration.
- Advanced tools such as TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA are used for their operations.
- Rootkits are employed to maintain persistence and conceal their activities on compromised networks.
- They exfiltrate data via trusted cloud services like Dropbox and OneDrive.
- Trend Vision Oneβ’ blocks malicious components associated with Earth Kurma.
MITRE Techniques :
- T1071.001 β Application Layer Protocol: Use of cloud storage services for data exfiltration.
- T1083 β File and Directory Discovery: Use of PowerShell commands to find specific file types for exfiltration.
- T1056.001 β Input Capture: Deployment of the KMLOG keylogger to capture keystrokes.
- T1027 β Obfuscated Files or Information: Integration of XOR encoding in their tools to evade detection.
- T1060 β Registry Run Keys / Start Folder: Manipulation of startup items to maintain persistence.
Indicator of Compromise :
- [File] C:Users{user}downloadswcrpc.dll
- [File] C:Users{user}documentsViberDownloadsmfsvc.dll
- [File] C:Windowssystem32cmd.exe
- [File] C:WindowsSysWOW64rundll32.exe
- [Email] infokey.zip (keylogger output)
Full Story: https://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html