The Earth Krahang APT group has launched a sophisticated campaign targeting organizations worldwide, leveraging the RESHELL and XDealer backdoors to infiltrate systems. Spear-phishing emails, disguised as geopolitical communications, are used to distribute malicious attachments containing backdoor installers. The attackers have compromised government web servers to scan vulnerabilities in other government targets. Seventy organizations across 23 countries have been impacted, with a focus on government ministries and various other sectors.
Modus Operandi:
- Utilizes compromised email addresses to send spear-phishing emails within targeted organizations.
- Emails are themed around geopolitical topics to lure victims into opening malicious attachments.
- Malicious attachments contain RAR archives with LNK files that execute backdoor installers.
- Backdoors are also delivered via web shells on compromised servers.
Targeted Victims:
- Seventy organizations in 23 countries have been targeted.
- Mainly government ministries, with additional targets in education, telecommunications, logistics, finance, healthcare, and manufacturing sectors.
Connections with Earth Lusca:
- Trend Micro suspects a strong link between Earth Krahang and Earth Lusca based on IP addresses and domain names used.
- Similar victim profiles suggest a coordinated effort between the two groups.
Recommendations:
- Organizations are urged to educate employees on identifying phishing attempts.
- Implement security best practices and leverage provided IOCs to enhance detection and response capabilities.
Stay vigilant and proactive against sophisticated threat actors like Earth Krahang to safeguard organizational assets and sensitive information. March 20, 2024
Leave a Reply