The APT group Earth Kuma conducts attack campaigns targeting countries in Southeast Asia, including Vietnam

Information about the APT group Earth Kuma

Since June 2024, security researchers from Trend Micro have discovered complex APT attack campaigns targeting Southeast Asian countries, including the Philippines, Malaysia, and Vietnam, and have named the group behind these campaigns Earth Kuma. This APT group mainly targets the government and energy sectors, aiming to steal data. According to tracked information, Earth Kuma has been engaging in data theft since November 2020. This APT group specializes in stealing data from public cloud services like OneDrive or Dropbox using custom tools such as TESDAT and SIMPOBOXSPY. They also create their own tools to hide activities, like KRNRAT and MORIYA.

Details about the attack behavior

The attack chain and malware used in the attack are summarized as follows:

Currently, researchers are unsure of the initial intrusion method as they began investigating long after the victims had been attacked. To move between devices on the network, the attackers scan the system and set up malware including: NBTSCAN, LADON, FRPC, WMIHACKER, and ICMPinger. They also set up the KMLOG keylogger to steal the victim's login information.

• The attackers use the ICMPinger tool to scan the network using the ICMP protocol to check if any devices are active on the network. They delete this tool once it has been used.

• The Ladon tool is also used for scanning, including port scanning, service scanning, network devices, vulnerability detection, password cracking, etc. To avoid detection, this tool is wrapped in a loader compiled with PyInstaller.

• To move laterally within the network, they use the WMIHACKER tool, which allows command execution on port 135 without needing SMB. In some cases, they execute commands through the SMB service (using net use) to check the system and set up malware.

• To steal login information, they use a tool called KMLOG, a keylogger that saves user keystrokes in the file %Appdata%\Roaming\Microsoft\Windows\Libraries\infokey.zip. To hide this file, they add a fake ZIP file header (PK header) at the beginning. The content behind this header is the user's keystroke information.

To maintain presence, the group uses different loaders such as DUNLOADER, TESDAT, and DMLOADER. These loaders load payload files into memory, execute them, and then deploy malware to collect data on cloud services. In some cases, they also use KRNRAT and MORIYA.

• DUNLOADER is a loader that allows loading payloads from a file named pdata.txt or from its own BIN file, then decodes them using XOR. This is a DLL file and is always executed by rundll32.exe by checking if the parent process name contains the string und. This loader has an export function named Start.

• A newer loader named TESDAT always loads a payload file with the extension .dat. Instead of using standard APIs, it uses an API called SwitchToFiber. There are two different types of TESDAT loaders, which can be either an EXE or a DLL file with an export function called Init.

• DMLOADER is a recent loader that loads embedded payloads and decodes them as a PE buffer in memory. This loader has export functions named Domain, Startprotect, or MThread.

The names of these loaders are placed in directories commonly accessed by victims rather than those typically used by other attackers, aiming to blend the loaders with other legitimate user files.

After setting up the loader, this attack group installs a rootkit on the victim's machine. The first type of rootkit encountered by researchers is MORIYA, which operates by intercepting TCP streams. It attempts to monitor for packets from C2 servers by checking the first 6 magic bytes. If they match, it tries to inject malicious payloads into the body of the returned packet.

This rootkit can also inject shellcode, loading a payload from \\SystemRoot\\system32\\drivers\\{driver_name}.dat. This payload will be AES decrypted and injected into the svhost.exe process. The shellcode can be called using the NtCreateThreadEx API.

Another type of rootkit encountered is called KRNRAT, which has full backdoor capabilities including process manipulation, file hiding, shellcode execution, traffic obfuscation, and connection to C2 servers. Finally, after execution, this rootkit will load an additional payload and inject it into the svhost.exe process. This shellcode operates similarly to MORIYA.

After connecting to the C2 server, it will download the payload for the next step. The final payload downloaded from the C2 server is called SManager.

At the data collection and extraction stage, two tools are used to extract information from the victim to the attacker's cloud services like Dropbox or OneDrive. Before retrieving files from the victim's machine, several commands are executed by the TESDAT loader to collect documents with extensions .pdf, .doc, .xls, .xlsx, .ppt, and .pptx. These documents are first placed in a tmp folder and then compressed using WinRAR with password protection.

• The SIMPOBOXSPY tool is used to collect and upload the compressed files to Dropbox with a predefined token.

• The other tool, ODRIZ, is used to upload the collected files to OneDrive with a refresh token.

Recommendation

To be cautious of complex campaigns like those of the APT Earth Kuma group, FPT Threat Intelligence provides the following recommendations:

• Update the IOCs of this attack campaign to detect and prevent attacks

• Do not open unnecessary service ports like SMB

• Implement policies for installing drivers, only install drivers that are verified as safe

• Have strict monitoring measures and conduct user awareness training

IOC

Reference

Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors

Earth Kurma APT is actively targeting government and telecommunications orgs in Southeast Asia