A Dive into Latest Campaign

Aug. 9, 2024, 8:47 p.m.

Description

Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying sophisticated malware toolsets such as the Godzilla webshell, StealthVector, StealthReacher, and SneakCross. StealthVector and StealthReacher are customized loaders that stealthily launch backdoor components, while SneakCross is a modular backdoor utilizing Google services for command-and-control activities. During post-exploitation, Earth Baku employs tools like a customized iox tool, Rakshasa, and Tailscale for persistence, along with MEGAcmd for data exfiltration.

External References

https://otx.alienvault.com/pulse/66b678f3c0df45d0d4599f59
Tags
backdoor
loader
apt
espionage
cobalt strike
cybercrime
godzilla
stealthvector
2024-08-09
stealthreacher
megacmd
sneakcross
tailscale
rakshasa

Date

  • Created: Aug. 9, 2024, 8:15 p.m.
  • Published: Aug. 9, 2024, 8:15 p.m.
  • Modified: Aug. 9, 2024, 8:47 p.m.

Indicators

  • ec5a96f42aeccdf9a3ae4c3650689606c8539fd65c0b47f30887afecb901be43
  • e5f1360d4c299bb32e33e081115f2b520251a983af2ebc649b4b9b70308246fe
  • ec10a9396dca694fe64366e0dab82d046cf92457f97efd50a68ceb85adef6b74
  • e4360c0aa995e6e896b22bb7725a6c9b189be8606e7cbbc8b6e80c606358649d
  • cdcbd9c25e06ac6da5497fa19459d0007449ec1a3e6bc591334db6fb3598aecb
  • c02accc26a389397fb172f83258baa8a974986ffd706ba708a3b0a679f61be56
  • a50f85c71b69563ba42bf04c937e1063244ca4957231d3adac76f1c96ab42d3c
  • ab56501167fe689fe55f6e6ddc3bb91952299bd5c3ef004b02bf1c3b4061c7cf
  • 8405d742405d3a6d3bda6bc49630dd5f3604a3d6ae27cbd533e425f8abbaafdc
  • 7f24bc080281d250ec88493e5803e488721a17c9382cd54ba8dfbcb785f23a88
  • 83de8917bf0ac1d670acf27431015215db872b7291979312dd65e30d99806abb
  • 7e63c6b9ab3b32beffbc1eb23d6ca7cc59616b0722f0dd4f0d893c0a1724f5d7
  • 7463700ec5768d4af6549028465f978059611555aa8e22e2b7c664b1cdbfa9ae
  • 7586e58a569c2a07d0b3a710616f48833a040bf3fc57628bbdec7fcb462d565a
  • 73eaba82ef1c502448e533007e92b1afa879b09f85f28b71648668ea62839ff5
  • 3e52c310c6556367ff9e18448bc41719e603d1cbbdafdcba736c6565529617b6
  • 22a50cea6ad67a7e8582d2cd4cdc3eaaf57c0fbe8cd062a9b15710166e255a86
  • 21fc0f50d545c0a373380934dc61c423c8a31d8c3e6eae4f8a35149ad9962d88
  • 166b6dcdac31f4bf51e4b20a7c3f7d4f7017ca0c30fa123d5591e25c3fa66107
  • 1c88150ec85a07c3db5f18c5eedcb0b653467b897af01d690ed996e5e07ba8e3
  • 0faddbe1713455e3fc9777ec45adf07b28e24f4c3ddca37586c2aa6b539898c0
  • 073b35ecbd1833575fbfb1307654fc532fd938482e09426cfb0541ad87a04f75
  • 07aa971f0791b06dd442d4c7a49c1d3d27a1cbb16602f731e870b5ef50edf69e
  • c6a3a1ea84251aed908702a1f2a565496d583239c5f467f5dcd0cfc5bfb1a6db
  • 5.182.207.28
  • 212.87.212.115
  • 78.108.216.20
  • www.mircoupdate.https443.net
  • www.sitennews.com
  • track.cdn78544.ru
Download all indicators here!

Attack Patterns

  • MEGAcmd
  • Tailscale
  • Rakshasa
  • SneakCross
  • StealthReacher
  • StealthVector
  • Godzilla
  • Cobalt Strike - S0154
  • Earth Baku
  • T1022
  • T1007
  • T1018
  • T1548
  • T1189
  • T1497
  • T1021
  • T1082
  • T1057
  • T1055
  • T1036
  • T1027
  • T1112
  • T1056
  • T1059

Additional Informations

  • Technology
  • Healthcare
  • Media
  • Education
  • Telecommunications
  • Government
  • South Georgia and the South Sandwich Islands
  • Georgia
  • Qatar
  • Italy
  • Germany
  • Romania