Earth Krahang's Wide-Reaching Cyber Espionage Tactics and Targets

Cyber threat activity attributed to the Chinese threat actor Earth Krahang has been significantly impacting sectors across Africa, Europe, the United States, and Southeast Asia. Trend Micro's Joseph C. Chen and Daniel Lunghi have uncovered that while Earth Krahang operates with its own distinct infrastructure and malware, it shares several connections with another threat actor tracked as Earth Lusca. Despite these connections, Earth Krahang's unique tactics and targets have led researchers to classify it as a separate entity, focusing on a broad range of objectives from government infiltration to data exfiltration across various industries. With a remarkable record of compromising at least 70 organizations and targeting 116 across 45 countries since early 2022, Earth Krahang has predominantly targeted government organizations. According to Trend Micro, "at least 48 government organizations were compromised, with a further 49 other government entities being targeted." Beyond the government sector, Earth Krahang has extended its cyberespionage efforts to financial services, defense, sports entertainment, healthcare, logistics, manufacturing, non-governmental organizations (NGOs), real estate, retail, technology, think tanks, and travel sectors.

Earth Krahang's campaigns targeting government organizations, had a focus on Foreign Affairs ministries, utilizing compromised government infrastructure to launch further attacks. The group employs a strategy of exploiting vulnerable internet-facing servers and deploying spear-phishing emails to gain initial access. Vulnerabilities leveraged from Earth Krahang have included CVE-2023-32315 (Openfire) and CVE-2022-21587 (Control Web Panel) to establish footholds within networks. Spear-phishing emails, are themed around geopolitical topics, and serve as another vector, enticing recipients with malicious attachments or links designed to deploy custom backdoors on victims' computers. Compromised accounts are abused by utilizing the inherent trusted relationship to attack users in the same organization. "In one case, the actor used a compromised mailbox from a government entity to send a malicious attachment to 796 email addresses belonging to the same entity," Trend Micro reports. The distributed attachments often use misleading double file extensions, presenting a benign-looking docx extension while concealing an executable (.exe) nature, to deceive targets into executing the malware.

Post-compromise, Earth Krahang exhibits a wide array of capabilities for maintaining access and lateral movement within networks. Tactics, techniques, and procedures (TTPs) include creating scheduled tasks for persistence and obtaining credentials through LSASS or the SAM data database. To facilitate lateral movement exeuctions with WMIC and modifying registry keys to allow for RDP were observed. The group deploys malware and tools such as Cobalt Strike, RESHELL, and XDealer to execute commands and collect data. XDealer, in particular, stands out for its sophistication, supporting both Linux and Windows environments, and its ability to take screenshots, log keystrokes, and intercept clipboard data. Additionally, Earth Krahang has been observed using compromised email accounts to brute-force Exchange credentials and employ Python scripts for email exfiltration from Zimbra servers. Abuse of several Linux CVEs such as CVE-2021-4034 ("PwnKit"), CVE-2021-22555 (a flaw in the Linux kernel's netfilter subsystem), and CVE-2016-5195 ("Dirty COW") were reported to allow the threat actors to elevate their privileges.

As detailed in Trend Micro's analysis the connection between Earth Krahang and the China-nexus actor Earth Lusca, as well as potential links to the Chinese company I-Soon, suggests a coordinated effort behind these cyberespionage campaigns. This revelation emphasizes the advanced and widespread activities of Earth Krahang. To defend against these threats, following industry best practices is crucial, including implementing strong passwords to thwart account breaches and the awareness of social engineering tactics, exemplified by the deceptive use of double-file extensions.