Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors
Summary:
Trend Micro uncovered a sophisticated cyber-espionage campaign known as Earth Kurma, attributed to a new APT group targeting government and telecommunications sectors in Southeast Asia, specifically in the Philippines, Vietnam, Thailand, and Malaysia. Active since at least 2020, Earth Kurma has demonstrated a long-term, stealthy presence in compromised environments, relying on kernel-level rootkits and custom malware to maintain persistence and evade detection. Their objective is clearly espionage, focusing on data theft and credential harvesting.
The group uses an extensive toolset, including loaders like DUNLOADER, TESDAT, and DMLOADER to deploy payloads such as Cobalt Strike beacons and rootkits like MORIYA and KRNRAT. MORIYA acts as a TCP traffic interceptor capable of injecting shellcode directly into network packets, while KRNRAT is a full-featured backdoor built from open-source rootkit projects, supporting advanced capabilities like process manipulation, file hiding, shellcode execution, and traffic obfuscation. Both tools help Earth Kurma maintain stealthy and persistent access to victim systems.
For lateral movement, the attackers utilized various open-source and custom tools like LADON, WMIHACKER, and KMLOG, the latter functioning as a keylogger that captures keystrokes and stores them with a spoofed ZIP header to avoid detection. In the data collection phase, Earth Kurma uses PowerShell scripts and loaders to search for and archive sensitive documents, primarily Office files modified within the last 30 days. These archives are then exfiltrated using tools like SIMPOBOXSPY and ODRIZ, which upload to Dropbox and OneDrive respectively using hardcoded tokens. Notably, stolen data is sometimes transferred through the victim’s SYSVOL directory to exploit Windows’ Distributed File System Replication (DFSR) and facilitate internal exfiltration.
Security Officer Comments:
While Earth Kurma shares some tools and techniques with known groups such as ToddyCat and those behind Operation TunnelSnake, significant differences in their malware deployment and post-exploitation tactics led Trend Micro to treat Earth Kurma as a distinct threat group. The campaign presents a high risk to affected organizations due to its use of stealthy, persistent malware, credential theft, and the abuse of cloud services for exfiltration.
Suggested Corrections:
Here are some best security practices to mitigate such threats:
Link(s):
https://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html
Trend Micro uncovered a sophisticated cyber-espionage campaign known as Earth Kurma, attributed to a new APT group targeting government and telecommunications sectors in Southeast Asia, specifically in the Philippines, Vietnam, Thailand, and Malaysia. Active since at least 2020, Earth Kurma has demonstrated a long-term, stealthy presence in compromised environments, relying on kernel-level rootkits and custom malware to maintain persistence and evade detection. Their objective is clearly espionage, focusing on data theft and credential harvesting.
The group uses an extensive toolset, including loaders like DUNLOADER, TESDAT, and DMLOADER to deploy payloads such as Cobalt Strike beacons and rootkits like MORIYA and KRNRAT. MORIYA acts as a TCP traffic interceptor capable of injecting shellcode directly into network packets, while KRNRAT is a full-featured backdoor built from open-source rootkit projects, supporting advanced capabilities like process manipulation, file hiding, shellcode execution, and traffic obfuscation. Both tools help Earth Kurma maintain stealthy and persistent access to victim systems.
For lateral movement, the attackers utilized various open-source and custom tools like LADON, WMIHACKER, and KMLOG, the latter functioning as a keylogger that captures keystrokes and stores them with a spoofed ZIP header to avoid detection. In the data collection phase, Earth Kurma uses PowerShell scripts and loaders to search for and archive sensitive documents, primarily Office files modified within the last 30 days. These archives are then exfiltrated using tools like SIMPOBOXSPY and ODRIZ, which upload to Dropbox and OneDrive respectively using hardcoded tokens. Notably, stolen data is sometimes transferred through the victim’s SYSVOL directory to exploit Windows’ Distributed File System Replication (DFSR) and facilitate internal exfiltration.
Security Officer Comments:
While Earth Kurma shares some tools and techniques with known groups such as ToddyCat and those behind Operation TunnelSnake, significant differences in their malware deployment and post-exploitation tactics led Trend Micro to treat Earth Kurma as a distinct threat group. The campaign presents a high risk to affected organizations due to its use of stealthy, persistent malware, credential theft, and the abuse of cloud services for exfiltration.
Suggested Corrections:
Here are some best security practices to mitigate such threats:
- Enforce strict driver installation policies. Allow only digitally signed and explicitly approved drivers through Group Policies or application control solutions to prevent malicious rootkits.
- Strengthen Active Directory (AD) and DFSR controls. Secure AD’s sysvol directory and closely audit DFSR replication events to prevent misuse for stealthy data exfiltration.
- imit SMB communications. Restrict SMB protocol usage across the network to prevent lateral movement and unauthorized file transfers.
Link(s):
https://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html