2024-11-28

New Tactics from Earth Kasha Reveal an Interconnected Umbrella of China-Nexus Adversaries

Level: 
Tactical
  |  Source: 
Trend Micro
Aviation
Education
Government
Manufacturing
Technology
Share:

New Tactics from Earth Kasha Reveal an Interconnected Umbrella of China-Nexus Adversaries

The threat actor group Earth Kasha, tracked by Trend Micro, has been targeting organizations primarily within Japan since 2019, with operations extending to Taiwan and India. Earth Kasha's primary targets include technology firms and government agencies, motivated by intelligence collection and data theft rather than financial gain. Although some associations are drawn between Earth Kasha and APT10, Trend Micro currently tracks them as distinct but potentially related entities under the “APT10 Umbrella” due to their use of similar tactics and tools."Our research on the recent activity by Earth Kasha highlighted the current complex situation and potential cooperative relationships among China-nexus threat actors," explains Trend Micro researchers. Earth Kasha's campaigns feature the use of LODEINFO malware, central to their operations and attribution efforts. Their recent activity includes exploiting vulnerabilities such as Array AG (CVE-2023-28461), Proself (CVE-2023-45727), and FortiOS/FortiProxy (CVE-2023-27997), targeting public-facing applications to breach systems and establish footholds.

In recent post-exploitation activities, once access is established, Earth Kasha has leveraged legitimate Windows tools to map out the network and collect domain information. Tools such as 'csvde.exe,' 'nltest.exe,' and 'quser.exe' have been observed in use for gathering Active Directory data, listing domain trusts, and identifying logged-in users. After identifying valuable files on file servers, they appear to examine documents of interest manually. Additionally, Earth Kasha employs their custom credential dumper, MirrorStealer, to extract login credentials from web browsers and email applications. Alternatively, they leverage native Windows commands, such as 'vssadmin,' to copy sensitive registry hives and Active Directory files like ntds.dit for credential theft from the C$ admin share.

The threat actor then proceeds to move laterally, initiating RDP sessions and gathering files of interest over SMB. Once these files are consolidated on a designated host, they are often compressed using 'makecab' to streamline exfiltration. Observed backdoors, including LODEINFO and NOOPDOOR, are deployed via SMB and managed through scheduled tasks or 'schtasks.exe,' ensuring continued network access. Trend Micro acknowledges that the method of data exfiltration remains uncertain, though it suggests Earth Kasha may be using RDP to transfer files to an external system over SMB, as indicated by observed activity related to “tsclient” during RDP sessions.

An in-depth analysis of correlations between Earth Kasha's LODEINFO Campaigns #1 and #2 and the A41APT Campaign by Earth Tengshe shows strategic overlaps in both tactics and targets, as reported by Trend Micro. In LODEINFO Campaign #1, Earth Kasha employed spear-phishing techniques for initial access, primarily targeting sectors in Japan. However, in Campaign #2, active since 2023, Earth Kasha shifted to exploiting public-facing applications like SSL-VPN. New industry targets in aviation, academic research, and manufacturing have also emerged. The A41APT Campaign by Earth Tengshe, also associated with the APT10 umbrella, similarly targeted Japan and used overlapping techniques in its post-exploitation phase, including 'csvde.exe' for Active Directory information collection, scheduled tasks for persistence, and RDP and SMB protocols for lateral movement. These similar TTPs strengthen the case for a potential connection between Earth Kasha and Earth Tengshe, despite their distinct toolsets.

Notable distinctions do emerge in the malware each group deploys, with Earth Tengshe relying on custom tools like SigLoader and SodaMaster, while Earth Kasha utilizes LODEINFO and MirrorStealer. This divergence in toolsets indicates that although Earth Tengshe and Earth Kasha share some tactics, they may operate with different operational focuses and resources, or even collaborate indirectly. The shared TTPs in these campaigns, especially in areas such as credential theft and Active Directory reconnaissance, suggest a strategic overlap in their objectives of persistent access and data exfiltration from sensitive networks.

Trend Micro’s analysis concludes that Earth Kasha's operations, when examined alongside Earth Tengshe’s, demonstrate patterns often linked to state-sponsored cyber-espionage consistent with APT10. The close alignment of objectives and TTPs, as well as Earth Kasha’s use of zero-day vulnerabilities, suggests the group may rely on shared access resources, possibly facilitated by third-party access brokers common within China-nexus operations. While Trend Micro's assessment of attribution remains cautious, this shared ecosystem for malware and vulnerabilities points to a collaborative infrastructure.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now