Summary:
Trend Micro has uncovered a new spear-phishing campaign targeting individuals as well as organizations in Japan since at least June 2024. Trend Micro notes that with this campaign comes the return of a backdoor called ANEL, a malware used by APT10 to target Japan that has not been publicly documented since 2018. Another backdoor, NOOPDOOR, often utilized by Earth Kasha has been observed as well. Trend Micro attributes this activity cluster to a new operation conducted by Earth Kasha based on the following reasons:

• Until early 2023, Earth Kasha had been conducting campaigns targeting individuals and organizations in Japan via spear-phishing emails as the primary intrusion vector. There are no significant inconsistencies in terms of TTPs or victim profiles.
• NOOPDOOR, believed to be used exclusively by Earth Kasha, was also deployed in this campaign.
• As previously mentioned, there are code similarities between ANELLDR and NOOPDOOR, suggesting the involvement of the same developer or someone with access to both source codes. Therefore, the reuse of ANEL in this campaign is unsurprising and further supports the connection between the former APT10 and the current Earth Kasha.

The adversary employed targeted emails to gain initial access, targeting individuals associated with political organizations, research institutions, and organizations related to international relations. Unlike in 2023 when Earth Kasha primarily attempted to exploit vulnerabilities on public-facing edge devices for intrusions, this campaign distributes targeted lure files purporting to relate to topics involving Japan’s national security and international relations. The spear-phishing emails used in this campaign were sent either from free email accounts or from compromised accounts. The emails contained a URL link to a OneDrive containing the infection vector which is a ZIP file that victims are encouraged to download in an additional message sent by the attackers. Trend Micro also discovered a unique ANEL loader they have named ANELLDR.

Trend Micro has outlined 3 cases of infection chains involved in this campaign:

Case 1: Macro-Enabled Document

• The simplest case involves a document with embedded macros. The infection begins when the document is opened and the user enables the macros.
• This document file is a malicious dropper that we have named ROAMINGMOUSE. As explained later, ROAMINGMOUSE can extract and execute embedded ANEL-related components (a legitimate EXE, ANELLDR, and encrypted ANEL).
• Two patterns are observed in this process: one involves dropping a ZIP file and then extracting it, while the other consists of directly dropping the components.

Case 2: Shortcut + SFX + Macro-Enabled Template Document

• In other cases, the ZIP file did not directly contain ROAMINGMOUSE. Instead, it included a shortcut file and an SFX (self-extracting) file disguised as a document by changing its icon and extension.
• When the shortcut file is opened, it executes the SFX file in the same directory disguised as a .docx file.
• The SFX file places two document files into the %APPDATA%\Microsoft\Templates folder. One of these files is a harmless decoy document, while the other, named "normal_.dotm," contains a macro called ROAMINGMOUSE.
• When the decoy document is opened, ROAMINGMOUSE is automatically loaded as a Word Template file. The behavior of ROAMINGMOUSE after execution is identical to that observed in Case 1.

Case 3: Shortcut + CAB + Macro-Enabled Template Document

• A similar case to Case 2 has also been observed, where the shortcut file executes PowerShell, which then drops an embedded CAB file.
• The shortcut file contained a PowerShell one-liner in this case, as shown in the figure below. This script dropped and extracted a CAB file embedded at a specific offset within the shortcut file and executed a decoy file. The decoy file then automatically loaded ROAMINGMOUSE as a template file, following the same process as in Case 2.

Security Officer Comments:
Trend Micro expected these Earth Kasha campaigns to continue to evolve, updating tools and TTPs as they adjust the goals of their operations. TTPs from previous Earth Kasha campaigns are available here. This campaign is believed to be ongoing as of October 2024, highlighting the importance of gathering threat intelligence and staying informed of APT TTPs and infection vectors. Many of the targets are individuals, such as researchers, who may have different levels of security measures in place compared to enterprise organizations, making these attacks more difficult to detect. The targeted nature of these attacks coupled with the campaign’s victimology indicates this newer campaign’s goal aligns with China’s cyber espionage focus on stealing intellectual property. It is paramount to enforce basic cybersecurity policies like avoiding opening files attached to suspicious emails in order to prevent being victimized by similar attacks.

Suggested Corrections:
Trend Micro has provided IOCs and a YARA rule for finding Earth Kasha activity.

Organizations can make APT groups’ lives more difficult. Here’s how:

• Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
• Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
• Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
• Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

Link(s):
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html