Spot the Difference: New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
Nov. 19, 2024, 9:35 a.m.
Tags
External References
Description
Earth Kasha, a threat group targeting Japan since 2019, has launched a new campaign with significant updates to their tactics and arsenals. The group has expanded its targets to include Taiwan and India, focusing on advanced technology organizations and government agencies. They now exploit public-facing applications like SSL-VPN and file storage services for initial access, using vulnerabilities in products such as Array AG, Proself, and FortiOS/FortiProxy. Earth Kasha deploys multiple backdoors including Cobalt Strike, LODEINFO, and the newly discovered NOOPDOOR. Their post-exploitation activities involve information theft, credential acquisition, and lateral movement. The group utilizes custom malware like MirrorStealer for credential dumping and employs sophisticated techniques to evade detection. While similarities exist with other China-nexus actors, Earth Kasha maintains distinct characteristics in its operations.
Date
Published: Nov. 19, 2024, 9:19 a.m.
Created: Nov. 19, 2024, 9:19 a.m.
Modified: Nov. 19, 2024, 9:35 a.m.
Indicators
9c681493c81581995e6a48b96411a7004fe77558d7ca863e26398538ad78f385
87fd4cf002e4d3867462c7a08124cba154750ae78785009a9f213c7479241eef
8574a494425825958c1e978ca7f66a467954fa90c7c898eebac49928519f0eae
earth.hopto.org
ns1.tlsart.com
tw8sl.com
srmbr.com
Attack Patterns
NOOPDOOR
Cobalt Strike - S0154
LODEINFO
MirrorStealer
Earth Kasha
T1021.002
T1021.001
T1543.003
T1053.005
T1027.002
T1136
T1059.003
T1552
T1087
T1082
T1083
T1055
T1140
T1027
T1558
T1190
T1133
T1078
T1003
CVE-2023-45727
CVE-2023-28461
CVE-2013-3900
CVE-2023-3519
CVE-2023-3467
CVE-2023-3466
CVE-2023-27997
Additional Informations
Technology
Defense
Government
Manufacturing
British Indian Ocean Territory
India
Taiwan
Japan