Today > vulnerabilities   -   You can now download lists of IOCs here!

Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC

Sept. 20, 2024, 12:05 p.m.

Tags
cobalt strike
geoserver
2024-09-20
spear-phishing
ripcoy
eagledoor
External References
Description

Earth Baxia, a suspected China-based threat actor, targeted government organizations, telecommunication businesses, and the energy industry in multiple Asia-Pacific countries. The group employed sophisticated techniques, including spear-phishing emails and exploitation of a GeoServer vulnerability (CVE-2024-36401). They deployed customized Cobalt Strike components and a new backdoor called EAGLEDOOR on compromised machines. EAGLEDOOR supports multiple communication protocols for information gathering and payload delivery. The attackers used public cloud services to host malicious files, making tracking difficult. They also utilized techniques like GrimResource and AppDomainManager injection to deploy additional payloads. The campaign affected countries including Taiwan, Philippines, South Korea, Vietnam, Thailand, and potentially China.

Date

Published: Sept. 20, 2024, 11:22 a.m.

Created: Sept. 20, 2024, 11:22 a.m.

Modified: Sept. 20, 2024, 12:05 p.m.

Indicators

d3c1ada67f9fe46dfb11f72c1754667d2ccd0026d48d37b61192e3d0ef369b84

e9854ab68dad0a744925118bfae4ec6ce9c4b7727e2ad6763aa50b923991de95

d23dd576f7a44df0d44fca6652897e4de751fdb0becc6b14b754ac9aafc9081c

cef0d2834613a3da4befa2f56ef91afc9ab82b1e6c510d2a619ed0c1364032b8

b3b8efcaf6b9491c00049292cdff8f53772438fde968073e73d767d51218d189

9b50e888aaec0e4d105a6f06db168a8a2dcf9ab1f9deeff4b7862463299ab1ca

916f3f4b895c8948b504cbf1beccb601ff7cc6e982d2ed375447bce6ecb41534

6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce

4ad078a52abeced860ceb28ae99dda47424d362a90e1101d45c43e8e35dfd325

1c26d79a841fdca70e50af712f4072fea2de7faf5875390a2ad6d29a43480458

061bcd5b34c7412c46a3acd100167336685a467d2cbcd1c67d183b90d0bf8de7

c78a02fa928ed8f83bda56d4b269152074f512c2cb73d59b2029bfc50ac2b8bc

4edc77c3586ccc255460f047bd337b2d09e2339e3b0b0c92d68cddedf2ac1e54

1e6c661d6981c0fa56c011c29536e57d21545fd11205eddf9218269ddf53d448

1c13e6b1f57de9aa10441f63f076b7b6bd6e73d180e70e6148b3e551260e31ee

04b336c3bcfe027436f36dfc73a173c37c66288c7160651b11561b39ce2cd25e

167.172.84.142

188.166.252.85

152.42.243.170

167.172.89.142

static.krislab.site

rocean.oca.pics

msa.hinet.ink

ms1.hinet.lat

us2.s3bucket-azure.online

status.s3cloud-azure.com

static.trendmicrotech.com

api.s2cloud-amazon.com

visualstudio-microsoft.com

Download all indicators here!

Attack Patterns

RIPCOY

SWORDLDR

EAGLEDOOR

Cobalt Strike - S0154

Earth Baxia

T1584.006

T1587.003

T1588.001

T1071.004

T1587.001

T1102.002

T1588.002

T1036.004

T1071.003

T1573.001

T1547.009

T1218.011

T1059.001

T1071.001

T1566.001

T1055

T1140

T1027

T1190

Additional Informations

Energy

Telecommunications

Government

Taiwan

China

Thailand

Philippines