Full Report
Earth Baku, a threat actor linked to APT41, has extended its operations beyond the Indo-Pacific, targeting regions across Europe, the Middle East, and Africa, including countries such as Italy, Germany, the UAE, and Qatar, with suspected activities in Georgia and Romania. The ...
Analysis Summary
# Threat Actor: Earth Baku
## Attribution & Identity
* **Actor identification:** Earth Baku
* **Known aliases and associated groups:** Linked to APT41.
## Activity Summary
Earth Baku has extended its operations beyond the Indo-Pacific, targeting regions across Europe, the Middle East, and Africa. The group exploits public-facing applications, particularly IIS servers, as initial access vectors to deploy advanced malware toolsets for data exfiltration.
## Tactics, Techniques & Procedures
* Initial Access: Exploitation of software misconfiguration in public-facing applications, notably IIS servers.
* Post-Exploitation/Execution: Webshell deployment (Godzilla).
* Loading/Staging: Use of custom loaders (StealthVector, StealthReacher) employing AES encryption and code obfuscation.
* C2/Backdoor: Deployment of the latest backdoor, SneakCross, which utilizes Google services for command-and-control.
* Persistence: Maintenance of persistence using custom tools like an iox tool, Rakshasa, and Tailscale.
* Exfiltration: Use of MEGAcmd for data exfiltration.
* **MITRE ATT&CK IDs:** Not explicitly mentioned in the source text, but related TTPs include T1505.003 (IIS Web Shells), T1071 (Application Layer Protocol), T1560.001 (Archive via Utility).
## Targeting
* **Sectors:** Not explicitly detailed, implied targeting based on infrastructure exploitation (public-facing applications/IIS).
* **Geography:** Expanded operations across regions including Europe, the Middle East, and Africa.
* Targeted Countries: Italy, Germany, UAE, Qatar.
* Suspected activities: Georgia, Romania.
* **Victims:** No specific organizations mentioned.
## Tools & Infrastructure
* **Malware families used:**
* Godzilla (Webshell)
* StealthVector (Custom Loader)
* StealthReacher (Custom Loader)
* SneakCross (Latest Backdoor)
* Rakshasa (Persistence tool)
* **Infrastructure:**
* Command-and-Control using Google services (via SneakCross).
* Exfiltration via MEGAcmd.
* Persistence utilizing the legitimate tool Tailscale.
## Implications
The expansion of Earth Baku into Europe, the Middle East, and Africa, coupled with the evolution of its toolset (e.g., using Google services for C2 and employing sophisticated obfuscation), indicates an increasingly complex and persistent threat actor posing a risk to global organizations using internet-exposed services.
## Mitigations
* Harden and secure public-facing applications, especially Microsoft IIS servers, against exploitation of misconfigurations.
* Monitor network traffic for outbound communication utilizing legitimate services like Google infrastructure or file-sharing services (MEGA) for C2 or exfiltration.
* Detect and block known webshells and custom loaders associated with this actor family.