Since June 2024, a newly identified advanced persistent threat (APT) group known as Earth Kurma has been conducting a sophisticated cyber espionage campaign targeting government and telecommunications sectors across Southeast Asia, including countries such as the Philippines, Vietnam, Thailand, and Malaysia. This campaign employs custom malware, rootkits, and cloud storage services to exfiltrate sensitive data, posing significant risks to national security and business operations in the region.
Background and Attribution
Earth Kurma’s activities trace back to November 2020, with a marked escalation in June 2024. The group’s operations exhibit overlaps with other known APT groups, notably ToddyCat, suggesting potential shared methodologies or affiliations. However, definitive attribution remains challenging due to the complex and often obfuscated nature of cyber espionage activities.
Tactics, Techniques, and Procedures (TTPs)
The initial access methods employed by Earth Kurma are currently undetermined. Once inside a target network, the group utilizes a combination of open-source and custom tools to conduct reconnaissance and lateral movement. Key tools include:
– NBTSCAN: Used for scanning networks to identify live hosts and open ports.
– Ladon: An open-source penetration testing framework facilitating various network attacks.
– FRPC: A fast reverse proxy tool enabling secure tunneling of network traffic.
– WMIHACKER: Exploits Windows Management Instrumentation for remote command execution.
– ICMPinger: Assesses network connectivity and discovers active hosts.
Credential harvesting is achieved through a keylogger named KMLOG, which records keystrokes to capture sensitive information.
Persistence Mechanisms
Earth Kurma employs multiple loader variants to maintain persistence within compromised systems:
– DUNLOADER: Loads and executes payloads directly into memory.
– TESDAT: Facilitates the loading of additional malicious modules.
– DMLOADER: Executes next-stage payloads while evading detection.
These loaders deploy various payloads, including Cobalt Strike Beacons and sophisticated rootkits like KRNRAT and Moriya.
Advanced Rootkits: KRNRAT and Moriya
The use of rootkits such as KRNRAT and Moriya distinguishes Earth Kurma’s operations.
– Moriya: Monitors incoming TCP packets for specific payloads, injecting shellcode into newly spawned processes to establish covert communication channels.
– KRNRAT: Integrates functionalities from multiple open-source projects, enabling process manipulation, file hiding, shellcode execution, and concealed command-and-control (C2) communications.
Both rootkits employ living-off-the-land techniques, utilizing legitimate system tools to install malicious components, thereby reducing the likelihood of detection.
Data Exfiltration via Cloud Services
A notable aspect of Earth Kurma’s campaign is the use of cloud storage services for data exfiltration. The group utilizes tools like SIMPOBOXSPY to upload stolen data to platforms such as Dropbox and Microsoft OneDrive. The exfiltration process involves:
1. Document Collection: Targeting files with extensions such as .pdf, .doc, .docx, .xls, .xlsx, .ppt, and .pptx.
2. Archiving: Compiling the collected documents into a password-protected RAR archive.
3. Upload: Transferring the archive to cloud storage using specific access tokens.
This method leverages the trust associated with legitimate cloud services to evade detection during data exfiltration.
Implications and Recommendations
The Earth Kurma campaign underscores the evolving threat landscape in Southeast Asia, highlighting the need for enhanced cybersecurity measures. Organizations are advised to:
– Implement Robust Monitoring: Deploy advanced monitoring solutions to detect anomalous activities indicative of rootkit installations or unauthorized data transfers.
– Regularly Update Systems: Ensure all systems and software are up-to-date to mitigate vulnerabilities exploited by attackers.
– Conduct Security Training: Educate employees on recognizing phishing attempts and other common attack vectors.
– Utilize Network Segmentation: Implement network segmentation to limit lateral movement within the organization.
– Establish Incident Response Plans: Develop and regularly update incident response plans to swiftly address potential breaches.
By adopting these measures, organizations can enhance their resilience against sophisticated cyber threats like those posed by Earth Kurma.
