Threat Research

Exploring Earth Baku’s Newest Campaign

TrendMicro

Earth Baku, linked to APT41, has expanded from the Indo-Pacific to Europe, the Middle East, and Africa and targeted Italy, Germany, UAE, and Qatar, with possible activity in Georgia and Romania. The group uses public-facing IIS servers and a suite of advanced malware, including Godzilla webshell, StealthVector, StealthReacher, and SneakCross, with SneakCross leveraging Google services for C2 and modular backdoor capabilities.

Keypoints

  • Earth Baku expanded its operational scope from the Indo-Pacific to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar (with suspected activity in Georgia and Romania).
  • Public-facing applications, particularly IIS servers, are used as entry points for attacks.
  • Malware toolset includes Godzilla webshell, StealthVector, StealthReacher, and SneakCross.
  • StealthVector and StealthReacher act as loaders that deploy backdoor components using AES encryption and code obfuscation.
  • SneakCross is a modular backdoor that uses Google services for command-and-control.
  • Post-exploitation tools include a customized iox tool, Rakshasa, Tailscale for persistence, and MEGAcmd for data exfiltration.
  • Defensive recommendations emphasize least privilege, patching, incident response planning, and 3-2-1 backups.

MITRE Techniques

  • [T1059] Command-Line Interface – Execution via command line during operations. ‘Execution: Command-Line Interface (T1059)’
  • [T1086] PowerShell – Use of PowerShell for script-based execution. ‘PowerShell (T1086)’
  • [T1053] Scheduled Task/Job – Persistence through scheduled tasks. ‘Scheduled Task/Job (T1053)’
  • [T1060] Registry Run Keys / Startup Folder – Persistence via startup registry keys. ‘Registry Run Keys / Startup Folder (T1060)’
  • [T1203] Exploitation of Vulnerability – Privilege escalation through exploiting a vulnerability. ‘Exploitation of Vulnerability (T1203)’
  • [T1027] Obfuscated Files or Information – Defense evasion through obfuscation. ‘Obfuscated Files or Information (T1027)’
  • [T1089] Disabling Security Tools – Defense evasion by disabling security tools. ‘Disabling Security Tools (T1089)’
  • [T1003] Credential Dumping – Accessing credentials from the system. ‘Credential Dumping (T1003)’
  • [T1046] Network Service Scanning – Discovery of network services. ‘Network Service Scanning (T1046)’
  • [T1083] File and Directory Discovery – Discovery of files and directories. ‘File and Directory Discovery (T1083)’
  • [T1041] Exfiltration Over Command and Control Channel – Exfiltration over C2 channel. ‘Exfiltration Over Command and Control Channel (T1041)’
  • [T1048] Exfiltration Over Alternative Protocol – Exfiltration via alternative protocol. ‘Exfiltration Over Alternative Protocol (T1048)’

Indicators of Compromise

  • [URL] Indicators of Compromise file – https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/h/earth-baku/ioc-a-dive-into-earth-baku-latest-campaign.txt – The IOCs for Earth Baku’s latest campaign are listed in this file.

Read more: https://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint