Earth Krahang APT Targets Organizations Worldwide with Lesser-Known RESHELL Backdoor
The Earth Krahang APT group has emerged as a significant threat, employing sophisticated tactics to target organizations worldwide. Security researchers have identified the group’s utilization of a lesser-known RESHELL backdoor, alongside the XDealer backdoor, in a widespread campaign aimed at infecting organizations across the globe.
Modus Operandi
The Earth Krahang APT campaign operates through spear-phishing emails, leveraging compromised email addresses to send malicious attachments to users within targeted organizations. These emails exploit geopolitical topics as a lure, with subjects such as “Malaysian Ministry of Defense Circular” or “ICJ public hearings- Guyana vs. Venezuela.” The malicious attachments, typically contained within RAR archives, deploy LNK files that execute backdoor malware installers on victims’ systems. Additionally, some instances have shown backdoors being delivered via web shells on compromised servers.
Targeted Victims
The campaign has impacted a significant number of organizations, totaling seventy across 23 countries. Primarily, the government sector bears the brunt of the attacks, with foreign affairs ministries being the primary targets. However, organizations from various other sectors, including education, telecommunications, logistics, finance, healthcare, and manufacturing, have also fallen victim to the campaign.
Connections with Earth Lusca
Security experts have observed striking similarities between Earth Krahang and Earth Lusca, particularly in the use of IP addresses and domain names. This suggests a strong connection between the two threat actors, with both groups targeting a similar range of victims to achieve their objectives.
Conclusion
Given the severity of the Earth Krahang APT campaign and its preference for compromising email accounts, organizations must prioritize security measures. Educating employees on identifying phishing attempts and leveraging Indicators of Compromise (IOCs) attached to the campaign can aid in understanding the attack pattern and implementing necessary defensive measures.