Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors
Upon consolidation of all documents into a secure archive protected by a password, typically named after the host name, the RAR archive will then be copied to the directory DC_serversysvol{domain}Policies{ID}user via the SMB protocol. The directory “sysvol” stores all AD policies and data, exclusively existing on DC servers. The assumption is that the attackers transfer all the collected archives to the “sysvol” directory to leverage a native Windows mechanism known as Distributed File System Replication (DFSR). This Windows feature harmonizes AD policies across DC servers by duplicating the contents of the “sysvol” directory between them. Consequently, through this method, the pilfered archives can automatically sync to all DC servers, facilitating exfiltration via any of them.
Attribution
Our investigation traced weak connections to two factions, ToddyCat and Operation TunnelSnake. Following a meticulous review, we concluded that this operation necessitated a distinct designation, Earth Kurma.
The APT group ToddyCat was revealed in 2022. The “tailored loader” referenced in this ToddyCat report was also detected on the same affected machines previously infected by the TESDAT loaders. However, no process execution logs between these loaders were discovered. Additionally, they employed similar exfiltration PowerShell scripts. Earth Kurma’s utilized tool, SIMPOBOXSPY, had been previously employed by ToddyCat.
Both Earth Kurma and ToddyCat focused significantly on Southeast Asian nations. Reports on ToddyCat suggest that their activities commenced in 2020. Their operational timeline closely aligned with what we observed in Earth Kurma.
Nonetheless, SIMPOBOXSPY is a basic tool that could be shared among factions, and no other distinct tools specifically linked to ToddyCat were observed. Thus, a definitive connection between Earth Kurma and ToddyCat cannot be established.
The second potentially associated APT entity is Operation TunnelSnake, which was similarly disclosed in 2021. In their report, they used MORIYA, utilizing the same code base as the MORIYA variant we found. Furthermore, Operation TunnelSnake targeted nations in Southeast Asia. Yet, no parallels were detected in the post-exploitation stages.
Security best practices
Earth Kurma remains especially active, persisting in targeting countries across Southeast Asia. They possess the capability to adapt to victim environments tactfully and maintain a discreet presence. They can repurpose the same code base from prior identified campaigns to tailor their tools, occasionally leveraging the victim’s infrastructure to accomplish their objectives.
Outlined below are some optimal security practices to mitigate such risks:
- Enforce stringent driver installation regulations. Permit exclusively digitally signed and explicitly sanctioned drivers via Group Policies or application control solutions to thwart malicious rootkits.
- Fortify Active Directory (AD) and DFSR controls. Lock down AD’s sysvol directory and vigilantly monitor DFSR replication events to forestall misuse for covert data exfiltration.
- Restrict SMB communications. Constrain SMB protocol utilization throughout the network to impede lateral movement and illegitimate file transfers.
Proactive security with Trend Vision One™
Trend Vision One™ stands as the exclusive AI-driven enterprise cybersecurity platform centralizing cyber risk exposure management, security operations, and robust layered protection. This holistic approach facilitates the anticipation and prevention of threats, hastening proactive security outcomes across the entirety of your digital estate. Supported by years of cybersecurity expertise and Trend Cybertron, the inaugural proactive cybersecurity AI in the industry, it delivers demonstrable results: a 92% reduction in ransomware risk and a 99% decrease in detection time. Security leaders can benchmark their security stance and exhibit continuous enhancements to stakeholders. Through Trend Vision One, you gain the ability to eradicate security blind spots, concentrate on crucial aspects, and elevate security into a strategic innovation partner.
Trend Vision One Threat Intelligence
To preempt evolving threats, Trend Vision One customers can delve into a variety of Intelligence Reports and Threat Insights. Threat Insights empowers clients to outrun cyber threats before they materialize and prepare for emerging threats by imparting comprehensive insights into threat actors, their malevolent exploits, and methodologies. By leveraging this intelligence, clients can adopt proactive measures to safeguard their environments, mitigate risks, and respond effectively to threats.
Trend Vision One Intelligence Reports App [IOC Sweeping]
- Earth Kurma Uncovered: Cyber Threats to Southeast Asian Governments
Trend Vision One Threat Insights App
Hunting Queries
Trend Vision One Search App
Customers of Trend Vision One can utilize the Search App to match or hunt down the malicious indicators mentioned in this blog post within their data environment.
Initiate a scan for Earth Kurma malware detections:
malName: (*DUNLOADER* OR *TESDAT* OR *DMLOADER* OR *MORIYA* OR *KRNRAT* OR *SIMPOBOXSPY* OR *ODRIZ* OR *KMLOG*) AND eventName: MALWARE_DETECTION
Indicators of Compromise (IoC)
The indicators of compromise for this entry can be accessed here.
About Author
