Scammers Hide Harmful Links in QR Codes to Steal Your Information

In a sophisticated campaign, threat actor Earth Baxia, likely based in China, has targeted government organizations and industries across the Asia-Pacific (APAC) region. Leveraging spear-phishing emails and exploiting a critical vulnerability in GeoServer (tracked as CVE-2024-36401), Earth Baxia has successfully infiltrated systems and deployed customized malware to exfiltrate sensitive data. The campaign, which began in July 2024, primarily targeted government, energy, and telecommunication sectors in Taiwan, Vietnam, South Korea, and the Philippines, but likely affected additional countries.

The Exploit: CVE-2024-36401

CVE-2024-36401 is a remote code execution (RCE) vulnerability found in GeoServer, an open-source server for sharing geospatial data. Earth Baxia exploited this vulnerability to download malicious components using commands like curl and scp, executing arbitrary commands and introducing malware into compromised environments. This vulnerability allowed Earth Baxia to gain initial access to target systems, marking the beginning of their attack chain.

Spear-Phishing as a Primary Attack Vector

In addition to exploiting GeoServer, Earth Baxia employed spear-phishing to further their attacks. Beginning in August 2024, victims received tailored phishing emails containing malicious attachments, such as MSC files or ZIP files, which dropped the next stage of malware. These emails were designed to bypass detection and lure victims into downloading and executing malicious files. Once opened, the files initiated the execution of obfuscated VBScript, leading to the download of additional payloads from cloud services such as Amazon Web Services (AWS).

Customized Cobalt Strike and EAGLEDOOR Backdoor

Once inside a system, Earth Baxia deployed a customized version of Cobalt Strike, a well-known post-exploitation tool often used for command-and-control (C2) operations. The altered Cobalt Strike version used by Earth Baxia had modified internal signatures and a changed configuration structure, helping it avoid detection by traditional security tools.

Additionally, Earth Baxia introduced a new backdoor called EAGLEDOOR, which supports multiple communication protocols including DNS, HTTP, TCP, and Telegram. This backdoor enables the attackers to gather information, deliver further payloads, and maintain persistent access to compromised systems. EAGLEDOOR used techniques like DLL side-loading to execute its malicious code in memory, complicating detection and analysis.

Attribution to Earth Baxia

Based on telemetry data and the use of specific tools and techniques, researchers have attributed this campaign to Earth Baxia, a China-linked advanced persistent threat (APT) group. Indicators such as the use of Cobalt Strike watermarks, infrastructure hosted on Alibaba Cloud, and malware samples submitted from China further suggest that this group operates from within the region. Earth Baxia’s previous campaigns have shown a focus on the government, energy, and telecommunications sectors, aligning with the victims identified in this campaign.

Attack Chain Overview

The attack chain followed by Earth Baxia in this campaign can be summarized as:

  1. Initial Access: Earth Baxia used spear-phishing emails and the GeoServer vulnerability (CVE-2024-36401) to gain initial access to targeted systems.
  2. Payload Delivery: The attackers deployed malicious files (e.g., MSC files) using spear-phishing emails, which dropped VBScript that downloaded additional malware components from cloud services like AWS.
  3. Post-Exploitation: After gaining access, Earth Baxia deployed a customized version of Cobalt Strike and the EAGLEDOOR backdoor to establish persistent access, exfiltrate data, and control infected systems.
  4. Lateral Movement and Persistence: Using techniques like DLL side-loading and AppDomainManager injection, Earth Baxia achieved lateral movement and evaded detection by injecting arbitrary code into legitimate applications.
  5. Exfiltration: The attackers used curl to exfiltrate collected data to remote servers, hiding their operations by utilizing cloud services and encrypted communication protocols.

Backdoor Analysis: EAGLEDOOR

EAGLEDOOR is a backdoor that allows Earth Baxia to maintain control over compromised systems. It supports four communication methods:

  • DNS: Used for basic communication with the command-and-control (C2) server.
  • HTTP and TCP: Utilized for sending system status updates to the C2 server and receiving new instructions.
  • Telegram: Used for information gathering, file delivery, and further payload execution through Telegram Bot API commands like getFile, getUpdates, sendDocument, and sendMessage.

By employing multiple protocols, EAGLEDOOR can adapt its communication to the environment, making it harder for security tools to block or detect the traffic. Earth Baxia further obscures their activity by hosting malicious files on public cloud services, allowing them to easily update payloads and avoid detection.

Exfiltration Tactics

After compromising systems, Earth Baxia exfiltrated data using curl, sending it to servers hosted at IP addresses like 152[.]42[.]243[.]170. The stolen data was archived before exfiltration, and the exfiltration process was often disguised as legitimate traffic to evade detection. The use of cloud services and dynamic payload delivery made it difficult for defenders to trace the group’s activities.

Geographic Scope and Targeted Sectors

Earth Baxia primarily targeted government organizations and energy industries in the APAC region, including countries like Taiwan, Vietnam, South Korea, and the Philippines. The group’s campaigns were also detected in China, where they leveraged simplified Chinese decoy documents. Given the group’s operational focus, it is likely that the targeted sectors were of strategic importance to China’s national interests.

Recommendations for Mitigation

To defend against campaigns like the one conducted by Earth Baxia, organizations should implement a multi-layered defense strategy, including:

  1. Phishing Awareness Training: Educate employees to recognize spear-phishing emails and suspicious attachments, especially those with unexpected content.
  2. Patching Vulnerabilities: Apply patches for critical vulnerabilities like CVE-2024-36401 in GeoServer and other publicly exposed services.
  3. Advanced Threat Detection: Deploy solutions that detect fileless attacks, DLL side-loading, and in-memory malware execution.
  4. Behavioral Analytics: Use advanced detection tools like Cortex XDR or Trend Micro Vision One to monitor network traffic for anomalies, detect suspicious command-and-control (C2) activity, and prevent data exfiltration.
  5. Cloud Service Monitoring: Monitor traffic to and from public cloud services to detect unusual activity, such as downloading malicious files or exfiltrating data to remote servers.

Earth Baxia continues to demonstrate its ability to conduct sophisticated attacks, combining spear-phishing, exploited vulnerabilities, and customized malware to infiltrate critical sectors in the APAC region. By leveraging public cloud services and multi-protocol backdoors like EAGLEDOOR, the group has shown advanced capabilities in evading detection and maintaining persistence within compromised environments. Vigilance and proactive security measures are essential to counter such threats, particularly for organizations operating in high-risk sectors.

By staying informed of these evolving tactics and employing multi-layered defense solutions, organizations can better protect themselves from supply chain attacks and advanced persistent threats (APTs) like Earth Baxia.

Learn More About CommandLink:
Contact Page

ADDITIONAL

RESOURCES:

Library with dropdown

Schedule a Demo:

Schedule a Demo
22722 29th Drive SE Suite 100 Bothell, WA 98021
Single source platform to design, deploy and manage internet access, SD-WAN, SASE, security, cloud phone systems, & collaboration services in one unified SaaS platform.
Copyright CommandLink. All rights reserved.
apartmentcloudcloud-synccloud-checklocklicenseuserusersspell-checklaptop-phonechart-barsselectthumbs-upchevron-downmovelayers