Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10
Summary:
Earth Kasha, a cyber threat group tracked by Trend Micro, has been active since 2019, leveraging the LODEINFO malware to target organizations in Japan. Though similarities with APT10 have been observed, Trend Micro views Earth Kasha as a separate entity under the broader "APT10 Umbrella," suggesting potential collaboration or shared resources. In 2023, Earth Kasha expanded its focus to include high-profile targets in Taiwan and India, particularly within the advanced technology and government sectors. This marked a significant evolution in their tactics, shifting from traditional spear-phishing to exploiting vulnerabilities in public-facing applications like SSL-VPNs and enterprise products. Specific vulnerabilities abused include CVE-2023-28461 and CVE-2023-27997 (FortiOS/FortiProxy), showcasing the group's adaptability and technical expertise.
Post-exploitation activities reveal a primary focus on data theft and credential harvesting. Earth Kasha employed tools such as MirrorStealer to extract stored credentials from browsers, email clients, and SQL management tools. They also utilized registry hive dumps to obtain NTLM hashes of domain users. Once initial access was established, the group deployed backdoors like LODEINFO, NOOPDOOR, and Cobalt Strike to maintain persistence and execute lateral movement across networks. Data exfiltration methods included compressing sensitive files into archives and transferring them via RDP sessions or other backdoor channels. Persistence mechanisms relied on scheduled tasks, DLL side-loading, and heavily obfuscated loaders like NOOPLDR Types 1 and 2, with NOOPDOOR showcasing advanced encrypted communication channels and anti-analysis techniques.
Security Officer Comments:
Earth Kasha’s campaigns demonstrate clear evolution over time. Their first campaign, running from 2019 to 2023, relied on spear-phishing to target Japan's public sector, academics, and individuals involved in international affairs. In their second campaign, beginning in 2023, they shifted to exploiting public-facing applications and expanded their target base to include private-sector organizations in manufacturing, aviation, and high-tech industries across Japan, Taiwan, and India. This shift in tactics and target demographics highlights their growing sophistication and strategic adaptation to new opportunities. Notable overlaps with campaigns such as A41APT, attributed to Earth Tengshe, further suggest shared tactics, techniques, and operator resources among Chinese-linked threat groups. For example, both Earth Kasha and Earth Tengshe exploited SSL-VPN vulnerabilities, abused scheduled tasks for persistence, and used similar methods for credential dumping. However, Earth Kasha’s toolset, including LODEINFO and NOOPDOOR, is distinct, highlighting its unique operational approach.
A particularly concerning aspect of Earth Kasha’s activities is their possible collaboration with access brokers. Shared exploitation of 0-day vulnerabilities, such as CVE-2023-27997, with other groups like Volt Typhoon suggests a third-party ecosystem specializing in facilitating initial access.
Suggested Corrections:
IOCs:
https://documents.trendmicro.com/assets/txt/EarthKasha_IOC84gIFsv.txt
Patch and Secure Public-Facing Applications:
Implement Multi-Factor Authentication (MFA):
Strengthen Network Segmentation:
Monitor for Anomalous Activities:
Link(s):
https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html
Earth Kasha, a cyber threat group tracked by Trend Micro, has been active since 2019, leveraging the LODEINFO malware to target organizations in Japan. Though similarities with APT10 have been observed, Trend Micro views Earth Kasha as a separate entity under the broader "APT10 Umbrella," suggesting potential collaboration or shared resources. In 2023, Earth Kasha expanded its focus to include high-profile targets in Taiwan and India, particularly within the advanced technology and government sectors. This marked a significant evolution in their tactics, shifting from traditional spear-phishing to exploiting vulnerabilities in public-facing applications like SSL-VPNs and enterprise products. Specific vulnerabilities abused include CVE-2023-28461 and CVE-2023-27997 (FortiOS/FortiProxy), showcasing the group's adaptability and technical expertise.
Post-exploitation activities reveal a primary focus on data theft and credential harvesting. Earth Kasha employed tools such as MirrorStealer to extract stored credentials from browsers, email clients, and SQL management tools. They also utilized registry hive dumps to obtain NTLM hashes of domain users. Once initial access was established, the group deployed backdoors like LODEINFO, NOOPDOOR, and Cobalt Strike to maintain persistence and execute lateral movement across networks. Data exfiltration methods included compressing sensitive files into archives and transferring them via RDP sessions or other backdoor channels. Persistence mechanisms relied on scheduled tasks, DLL side-loading, and heavily obfuscated loaders like NOOPLDR Types 1 and 2, with NOOPDOOR showcasing advanced encrypted communication channels and anti-analysis techniques.
Security Officer Comments:
Earth Kasha’s campaigns demonstrate clear evolution over time. Their first campaign, running from 2019 to 2023, relied on spear-phishing to target Japan's public sector, academics, and individuals involved in international affairs. In their second campaign, beginning in 2023, they shifted to exploiting public-facing applications and expanded their target base to include private-sector organizations in manufacturing, aviation, and high-tech industries across Japan, Taiwan, and India. This shift in tactics and target demographics highlights their growing sophistication and strategic adaptation to new opportunities. Notable overlaps with campaigns such as A41APT, attributed to Earth Tengshe, further suggest shared tactics, techniques, and operator resources among Chinese-linked threat groups. For example, both Earth Kasha and Earth Tengshe exploited SSL-VPN vulnerabilities, abused scheduled tasks for persistence, and used similar methods for credential dumping. However, Earth Kasha’s toolset, including LODEINFO and NOOPDOOR, is distinct, highlighting its unique operational approach.
A particularly concerning aspect of Earth Kasha’s activities is their possible collaboration with access brokers. Shared exploitation of 0-day vulnerabilities, such as CVE-2023-27997, with other groups like Volt Typhoon suggests a third-party ecosystem specializing in facilitating initial access.
Suggested Corrections:
IOCs:
https://documents.trendmicro.com/assets/txt/EarthKasha_IOC84gIFsv.txt
Patch and Secure Public-Facing Applications:
- Apply security patches for vulnerabilities exploited by Earth Kasha, such as:
- CVE-2023-28461 (Array AG)
- CVE-2023-45727 (Proself)
- CVE-2023-27997 (FortiOS/FortiProxy)
- Regularly update enterprise products and monitor vendor advisories for newly disclosed vulnerabilities.
Implement Multi-Factor Authentication (MFA):
- Enforce MFA for all remote access services, particularly VPNs and administrative interfaces, to mitigate the risk of credential-based attacks.
Strengthen Network Segmentation:
- Isolate sensitive systems (e.g., Active Directory) from external access points.
- Use firewalls to restrict lateral movement between network segments.
Monitor for Anomalous Activities:
- Track tools and commands often used by Earth Kasha, including:
- Legitimate tools like csvde.exe, nltest.exe, and quser.exe.
- Known malware like LODEINFO, NOOPDOOR, and MirrorStealer.
- Set alerts for unusual file access patterns, large data transfers, and use of PowerShell scripts
Link(s):
https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html