A Dive into Latest Campaign

Aug. 9, 2024, 8:47 p.m.

External References

https://otx.alienvault.com/

Description

Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying sophisticated malware toolsets such as the Godzilla webshell, StealthVector, StealthReacher, and SneakCross. StealthVector and StealthReacher are customized loaders that stealthily launch backdoor components, while SneakCross is a modular backdoor utilizing Google services for command-and-control activities. During post-exploitation, Earth Baku employs tools like a customized iox tool, Rakshasa, and Tailscale for persistence, along with MEGAcmd for data exfiltration.

Date

Published: Aug. 9, 2024, 8:15 p.m.

Created: Aug. 9, 2024, 8:15 p.m.

Modified: Aug. 9, 2024, 8:47 p.m.

Indicators

ec5a96f42aeccdf9a3ae4c3650689606c8539fd65c0b47f30887afecb901be43

e5f1360d4c299bb32e33e081115f2b520251a983af2ebc649b4b9b70308246fe

ec10a9396dca694fe64366e0dab82d046cf92457f97efd50a68ceb85adef6b74

e4360c0aa995e6e896b22bb7725a6c9b189be8606e7cbbc8b6e80c606358649d

cdcbd9c25e06ac6da5497fa19459d0007449ec1a3e6bc591334db6fb3598aecb

c02accc26a389397fb172f83258baa8a974986ffd706ba708a3b0a679f61be56

a50f85c71b69563ba42bf04c937e1063244ca4957231d3adac76f1c96ab42d3c

ab56501167fe689fe55f6e6ddc3bb91952299bd5c3ef004b02bf1c3b4061c7cf

8405d742405d3a6d3bda6bc49630dd5f3604a3d6ae27cbd533e425f8abbaafdc

7f24bc080281d250ec88493e5803e488721a17c9382cd54ba8dfbcb785f23a88

83de8917bf0ac1d670acf27431015215db872b7291979312dd65e30d99806abb

7e63c6b9ab3b32beffbc1eb23d6ca7cc59616b0722f0dd4f0d893c0a1724f5d7

7463700ec5768d4af6549028465f978059611555aa8e22e2b7c664b1cdbfa9ae

7586e58a569c2a07d0b3a710616f48833a040bf3fc57628bbdec7fcb462d565a

73eaba82ef1c502448e533007e92b1afa879b09f85f28b71648668ea62839ff5

3e52c310c6556367ff9e18448bc41719e603d1cbbdafdcba736c6565529617b6

22a50cea6ad67a7e8582d2cd4cdc3eaaf57c0fbe8cd062a9b15710166e255a86

21fc0f50d545c0a373380934dc61c423c8a31d8c3e6eae4f8a35149ad9962d88

166b6dcdac31f4bf51e4b20a7c3f7d4f7017ca0c30fa123d5591e25c3fa66107

1c88150ec85a07c3db5f18c5eedcb0b653467b897af01d690ed996e5e07ba8e3

0faddbe1713455e3fc9777ec45adf07b28e24f4c3ddca37586c2aa6b539898c0

073b35ecbd1833575fbfb1307654fc532fd938482e09426cfb0541ad87a04f75

07aa971f0791b06dd442d4c7a49c1d3d27a1cbb16602f731e870b5ef50edf69e

c6a3a1ea84251aed908702a1f2a565496d583239c5f467f5dcd0cfc5bfb1a6db

5.182.207.28

212.87.212.115

78.108.216.20

www.mircoupdate.https443.net

www.sitennews.com

track.cdn78544.ru

Download all indicators here!

Attack Patterns

MEGAcmd

Tailscale

Rakshasa

SneakCross

StealthReacher

StealthVector

Godzilla

Cobalt Strike - S0154

Earth Baku

T1022

T1007

T1018

T1548

T1189

T1497

T1021

T1082

T1057

T1055

T1036

T1027

T1112

T1056

T1059

Additional Informations

Technology

Healthcare

Media

Education

Telecommunications

Government

South Georgia and the South Sandwich Islands

Georgia

Qatar

Italy

Germany

Romania