Chinese Cyber Thieves Utilize GeoServer Vulnerability to Target APAC Regions with EAGLEDOOR Malware
An alleged sophisticated persistent threat (APT) believed to be from China targeted a governmental entity in Taiwan and potentially other nations in the Asia-Pacific (APAC) region by exploiting a recently fixed vital security flaw affecting OSGeo GeoServer GeoTools.
The breach, identified by Trend Micro in July 2024, has been linked to a threat actor named Earth Baxia.
“After analyzing the phishing emails, decoy documents, and incident reports, it seems that the primary targets are government bodies, telecommunication companies, and the energy sector in the Philippines, South Korea, Vietnam, Taiwan, and Thailand,” stated researchers Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, and Philip Chen explained.
The discovery of counterfeit documents in Simplified Chinese hints at China being one of the impacted nations, though the cybersecurity firm mentioned it lacks sufficient data to ascertain the specific sectors targeted within the country.
The multi-layered infection process makes use of two distinctive techniques, comprising spear-phishing emails and the utilization of the GeoServer vulnerability (CVE-2024-36401, CVSS score: 9.8), to deliver Cobalt Strike and a formerly undisclosed backdoor named EAGLEDOOR, facilitating data collection and payload distribution.
“The threat actor employs GrimResource and AppDomainManager injection to launch extra payloads, with the goal of reducing the target’s vigilance,” remarked the researchers, adding that the former approach is employed to download subsequent malware stages through a bait MSC file denoted RIPCOY embedded in a ZIP attachment.
It’s crucial to note that Japanese cybersecurity entity NTT Security Holdings recently disclosed an activity cluster with ties to APT41 that purportedly utilized the same two methods to target Taiwan, the Philippines military, and Vietnamese energy institutions.
It’s probable that these two intrusion groups are connected, given the shared application of Cobalt Strike command-and-control (C2) domains that imitate Amazon Web Services, Microsoft Azure (for instance, “s3cloud-azure,” “s2cloud-amazon,” “s3bucket-azure,” and “s3cloud-azure”), and Trend Micro itself (“trendmicrotech”).
The ultimate aim of the assaults is to deploy a customized version of Cobalt Strike, which serves as a foundation for the EAGLEDOOR backdoor (“Eagle.dll”) via DLL side-loading.
The malware features four communication methods with the C2 server through DNS, HTTP, TCP, and Telegram. While the initial three protocols are employed to transmit the victim’s status, the primary functionality is conducted via the Telegram Bot API to exchange files and execute additional payloads. The acquired information is extracted via curl.exe.
“Earth Baxia, believed to operate from China, conducted an elaborate campaign targeting government and energy sectors in multiple APAC regions,” highlighted the researchers.
“They employed sophisticated methods like GeoServer exploitation, spear-phishing, and tailor-made malware (Cobalt Strike and EAGLEDOOR) to infiltrate and extract data. Their utilization of public cloud services for hosting malicious files and the multi-protocol backing of EAGLEDOOR underscore the intricacy and flexibility of their endeavors.”
About Author
