Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC

    Friday, September 20, 2024 In: Threat Research Print

    Date: 09/20/2024

    Severity: Critical

    Summary

    The threat actor Earth Baxia has targeted a Taiwanese government organization and potentially others in the Asia-Pacific region using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401, which allows remote code execution. They utilized GrimResource and AppDomainManager injection to deploy additional payloads while customizing Cobalt Strike components for evasion. The modified Cobalt Strike included altered signatures and configuration structures. Additionally, they employed a new backdoor called EAGLEDOOR for information gathering and payload delivery, supporting multiple communication protocols.

    Indicators of Compromise (IOC) List

    Domains\URLs

    recordar-simmco.s3.sa-east-1.amazonaws.com

    wordpresss-data.s3.me-south-1.amazonaws.com

    ecgglass-arq.s3.sa-east-1.amazonaws.com

    souzacambos.s3.sa-east-1.amazonaws.com

    cooltours.s3.sa-east-1.amazonaws.com

    xiiltrionsoledadprod.s3.sa-east-1.amazonaws.com

    app-dimensiona.s3.sa-east-1.amazonaws.com

    bjj-files-production.s3.sa-east-1.amazonaws.com

    footracker-statics.s3.sa-east-1.amazonaws.com

    proradead.s3.sa-east-1.amazonaws.com

    s3-contemp.s3.sa-east-1.amazonaws.com

    homologacao-sisp.s3.sa-east-1.amazonaws.com

    doare-assets.s3.sa-east-1.amazonaws.com

    kcalmoments.s3.me-south-1.amazonaws.com

    speedshare.oss-cn-hongkong.aliyuncs.com

    360photo.oss-cn-hongkong.aliyuncs.com

    bobs8.oss-cn-hongkong.aliyuncs.com

    status.s3cloud-azure.com

    api.s2cloud-amazon.com

    visualstudio-microsoft.com

    us2.s3bucket-azure.online

    static.trendmicrotech.com

    rocean.oca.pics

    static.krislab.site

    ms1.hinet.lat

    msa.hinet.ink

    IP Address

    167.172.89.142

    167.172.84.142

    152.42.243.170

    188.166.252.85

    Hash

    916f3f4b895c8948b504cbf1beccb601ff7cc6e982d2ed375447bce6ecb41534

4edc77c3586ccc255460f047bd337b2d09e2339e3b0b0c92d68cddedf2ac1e54

6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce

1e6c661d6981c0fa56c011c29536e57d21545fd11205eddf9218269ddf53d448

4ad078a52abeced860ceb28ae99dda47424d362a90e1101d45c43e8e35dfd325

04b336c3bcfe027436f36dfc73a173c37c66288c7160651b11561b39ce2cd25e

c78a02fa928ed8f83bda56d4b269152074f512c2cb73d59b2029bfc50ac2b8bc

1c13e6b1f57de9aa10441f63f076b7b6bd6e73d180e70e6148b3e551260e31ee

9b50e888aaec0e4d105a6f06db168a8a2dcf9ab1f9deeff4b7862463299ab1ca

d23dd576f7a44df0d44fca6652897e4de751fdb0becc6b14b754ac9aafc9081c

d3c1ada67f9fe46dfb11f72c1754667d2ccd0026d48d37b61192e3d0ef369b84

e9854ab68dad0a744925118bfae4ec6ce9c4b7727e2ad6763aa50b923991de95

b3b8efcaf6b9491c00049292cdff8f53772438fde968073e73d767d51218d189

cef0d2834613a3da4befa2f56ef91afc9ab82b1e6c510d2a619ed0c1364032b8

061bcd5b34c7412c46a3acd100167336685a467d2cbcd1c67d183b90d0bf8de7

1c26d79a841fdca70e50af712f4072fea2de7faf5875390a2ad6d29a43480458

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs

    userdomainname like "us2.s3bucket-azure.online" or url like "us2.s3bucket-azure.online" or userdomainname like "visualstudio-microsoft.com" or url like "visualstudio-microsoft.com" or userdomainname like "proradead.s3.sa-east-1.amazonaws.com" or url like "proradead.s3.sa-east-1.amazonaws.com" or userdomainname like "static.trendmicrotech.com" or url like "static.trendmicrotech.com" or userdomainname like "360photo.oss-cn-hongkong.aliyuncs.com" or url like "360photo.oss-cn-hongkong.aliyuncs.com" or userdomainname like "s3-contemp.s3.sa-east-1.amazonaws.com" or url like "s3-contemp.s3.sa-east-1.amazonaws.com" or userdomainname like "speedshare.oss-cn-hongkong.aliyuncs.com" or url like "speedshare.oss-cn-hongkong.aliyuncs.com" or userdomainname like "recordar-simmco.s3.sa-east-1.amazonaws.com" or url like "recordar-simmco.s3.sa-east-1.amazonaws.com" or userdomainname like "wordpresss-data.s3.me-south-1.amazonaws.com" or url like "wordpresss-data.s3.me-south-1.amazonaws.com" or userdomainname like "ecgglass-arq.s3.sa-east-1.amazonaws.com" or url like "ecgglass-arq.s3.sa-east-1.amazonaws.com" or userdomainname like "souzacambos.s3.sa-east-1.amazonaws.com" or URL like "souzacambos.s3.sa-east-1.amazonaws.com" or userdomainname like "cooltours.s3.sa-east-1.amazonaws.com" or url like "cooltours.s3.sa-east-1.amazonaws.com" or userdomainname like "xiiltrionsoledadprod.s3.sa-east-1.amazonaws.com" or url like "xiiltrionsoledadprod.s3.sa-east-1.amazonaws.com" or userdomainname like "app-dimensiona.s3.sa-east-1.amazonaws.com" or url like "app-dimensiona.s3.sa-east-1.amazonaws.com" or userdomainname like "bjj-files-production.s3.sa-east-1.amazonaws.com" or url like "bjj-files-production.s3.sa-east-1.amazonaws.com" or userdomainname like "footracker-statics.s3.sa-east-1.amazonaws.com" or url like "footracker-statics.s3.sa-east-1.amazonaws.com" or userdomainname like "homologacao-sisp.s3.sa-east-1.amazonaws.com" or url like "homologacao-sisp.s3.sa-east-1.amazonaws.com" or userdomainname like "doare-assets.s3.sa-east-1.amazonaws.com" or url like "doare-assets.s3.sa-east-1.amazonaws.com" or userdomainname like "kcalmoments.s3.me-south-1.amazonaws.com" or url like "kcalmoments.s3.me-south-1.amazonaws.com" or userdomainname like "bobs8.oss-cn-hongkong.aliyuncs.com" or url like "bobs8.oss-cn-hongkong.aliyuncs.com" or userdomainname like "status.s3cloud-azure.com" or url like "status.s3cloud-azure.com" or userdomainname like "api.s2cloud-amazon.com" or url like "api.s2cloud-amazon.com" or userdomainname like "rocean.oca.pics" or url like "rocean.oca.pics" or userdomainname like "static.krislab.site" or url like "static.krislab.site" or userdomainname like "ms1.hinet.lat" or url like "ms1.hinet.lat" or userdomainname like "msa.hinet.ink" or url like "msa.hinet.ink"

    IP Address

    dstipaddress IN ("167.172.89.142","167.172.84.142","152.42.243.170","188.166.252.85") or ipaddress IN ("167.172.89.142","167.172.84.142","152.42.243.170","188.166.252.85") or publicipaddress IN ("167.172.89.142","167.172.84.142","152.42.243.170","188.166.252.85") or srcipaddress IN ("167.172.89.142","167.172.84.142","152.42.243.170","188.166.252.85")

    Hash

    sha256hash IN ("6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce","1c13e6b1f57de9aa10441f63f076b7b6bd6e73d180e70e6148b3e551260e31ee","4edc77c3586ccc255460f047bd337b2d09e2339e3b0b0c92d68cddedf2ac1e54","04b336c3bcfe027436f36dfc73a173c37c66288c7160651b11561b39ce2cd25e","1e6c661d6981c0fa56c011c29536e57d21545fd11205eddf9218269ddf53d448","916f3f4b895c8948b504cbf1beccb601ff7cc6e982d2ed375447bce6ecb41534","4ad078a52abeced860ceb28ae99dda47424d362a90e1101d45c43e8e35dfd325","c78a02fa928ed8f83bda56d4b269152074f512c2cb73d59b2029bfc50ac2b8bc","9b50e888aaec0e4d105a6f06db168a8a2dcf9ab1f9deeff4b7862463299ab1ca","d23dd576f7a44df0d44fca6652897e4de751fdb0becc6b14b754ac9aafc9081c","d3c1ada67f9fe46dfb11f72c1754667d2ccd0026d48d37b61192e3d0ef369b84","e9854ab68dad0a744925118bfae4ec6ce9c4b7727e2ad6763aa50b923991de95","b3b8efcaf6b9491c00049292cdff8f53772438fde968073e73d767d51218d189","061bcd5b34c7412c46a3acd100167336685a467d2cbcd1c67d183b90d0bf8de7","1c26d79a841fdca70e50af712f4072fea2de7faf5875390a2ad6d29a43480458","cef0d2834613a3da4befa2f56ef91afc9ab82b1e6c510d2a619ed0c1364032b8")

    Detection Query 4

    technologygroup = "EDR" AND image In ("\cmd.exe","\powershell.exe") AND commandline In ("[System/EventID=","/create","/delete","/ec","/so","/tn run")  

    Reference:

    https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html 


    Tags

    PhishingExploitBackdoorAPTEAGLEDOORMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.