CyberSecurity news
FlagThis
@securityonline.info
//
Earth Kurma, a newly identified Advanced Persistent Threat (APT) group, has been actively targeting government and telecommunications organizations in Southeast Asia since June 2024. According to reports from Trend Micro and other security firms, the group's activities, which date back to November 2020, primarily focus on cyberespionage and data exfiltration. Countries affected include the Philippines, Vietnam, Thailand, and Malaysia. The threat actors are particularly interested in exfiltrating sensitive data, often utilizing public cloud services like Dropbox and Microsoft OneDrive for this purpose.
Earth Kurma employs a sophisticated blend of custom malware, stealthy rootkits, and living-off-the-land (LotL) techniques. Their arsenal includes tools such as TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA, the latter two being rootkits designed for persistence and concealing malicious activities. The group's use of rootkits like MORIYA, which intercepts TCP traffic and injects malicious payloads, highlights their advanced evasion capabilities. Notably, Earth Kurma also abuses PowerShell for data collection, using commands to gather files of interest based on file extensions such as PDF, DOC, XLS, and PPT.
Detection strategies focus on monitoring process creations and command-line activities associated with known file extensions used by the group. The group leverages legitimate system tools and features, such as syssetup.dll, to install rootkits, making detection more challenging. While there are overlaps with other APT groups like ToddyCat and Operation TunnelSnake, definitive attribution remains inconclusive. Security researchers emphasize the high business risk posed by Earth Kurma due to their targeted espionage, credential theft, persistent footholds, and data exfiltration via trusted cloud platforms.
ImgSrc: securityonline.
References :
Earth Kurma employs a sophisticated blend of custom malware, stealthy rootkits, and living-off-the-land (LotL) techniques. Their arsenal includes tools such as TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA, the latter two being rootkits designed for persistence and concealing malicious activities. The group's use of rootkits like MORIYA, which intercepts TCP traffic and injects malicious payloads, highlights their advanced evasion capabilities. Notably, Earth Kurma also abuses PowerShell for data collection, using commands to gather files of interest based on file extensions such as PDF, DOC, XLS, and PPT.
Detection strategies focus on monitoring process creations and command-line activities associated with known file extensions used by the group. The group leverages legitimate system tools and features, such as syssetup.dll, to install rootkits, making detection more challenging. While there are overlaps with other APT groups like ToddyCat and Operation TunnelSnake, definitive attribution remains inconclusive. Security researchers emphasize the high business risk posed by Earth Kurma due to their targeted espionage, credential theft, persistent footholds, and data exfiltration via trusted cloud platforms.
ImgSrc: securityonline.
Share:
References :
- securityaffairs.com: SecurityAffairs: Earth Kurma APT is actively targeting government and telecommunications orgs in Southeast Asia
- securityonline.info: SecurityOnline: Earth Kurma APT Targets Southeast Asia with Stealthy Cyberespionage
- The Hacker News: TheHackNews: Earth Kurma Targets Southeast Asia With Rootkits and Cloud-Based Data Theft Tools
- Know Your Adversary: Know Your Adversary: That's How Earth Kurma Abuses PowerShell for Data Collection
- www.trendmicro.com: Trend Micro: Earth Kurma APT Campaign
- Industrial Cyber: Earth Kurma APT targets Southeast Asian government, telecom sectors in latest cyberespionage campaigns.
- industrialcyber.co: Trend Micro researchers have uncovered that an advanced persistent threat (APT) group known as Earth Kurma is actively
- www.scworld.com: Trend Micro researchers have identified a sophisticated cyberespionage campaign orchestrated by the APT group, Earth Kurma, focusing on organizations in Southeast Asia, including Malaysia, Thailand, Vietnam, and the Philippines.
- Security Risk Advisors: #EarthKurma #APT targeting Southeast Asian governments with #rootkits and cloud exfiltration tools using kernel-level persistence & trusted cloud services to steal sensitive documents. #CyberEspionage #ThreatIntel
- securityonline.info: In a newly released report, Trend Research has unveiled the operations of an advanced persistent threat (APT) group,
Classification:
- HashTags: #APT #CyberEspionage #EarthKurma
- Company: Trend Micro
- Target: Southeast Asia's government, telecom
- Attacker: Earth Kurma
- Product: PowerShell
- Feature: data exfiltration
- Malware: custom malware
- Type: Espionage
- Severity: Major