Full Report
Trend Micro researchers have uncovered that an advanced persistent threat (APT) group known as Earth Kurma is actively... The post Earth Kurma APT targets Southeast Asian government, telecom sectors in latest cyberespionage campaigns appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Earth Kurma APT
## Attribution & Identity
Identified as an Advanced Persistent Threat (APT) group known as Earth Kurma. No entity attribution (e.g., nation-state sponsorship) is specified in the text, only the operational name.
## Activity Summary
Earth Kurma is actively engaged in cyberespionage campaigns, focusing on establishing prolonged, undetected access to victim networks. Their historical activities date back to November 2020, with a sustained focus on data exfiltration. Since June of the previous year, a surge in operations has been observed across multiple Southeast Asian nations.
## Tactics, Techniques & Procedures
- Employ sophisticated custom malware toolsets.
- Utilize kernel-level rootkits (e.g., KRNRAT, MORIYA) to maintain persistence and conceal activities.
- Exploit trusted cloud services for covert data exfiltration.
- Employ advanced evasion techniques designed to bypass security defenses.
- Focus areas include credential theft and establishing long-term monitoring footholds.
- Techniques observed align with cyberespionage objectives (Motive: Data Exfiltration).
## Targeting
- Sectors: Government and Telecommunications organizations.
- Geography: Southeast Asia, specifically observed in the Philippines, Vietnam, and Malaysia.
- Victims: Sensitive government and telecommunications organizations.
## Tools & Infrastructure
- Malware families used: TESDAT, SIMPOBOXSPY.
- Rootkits: KRNRAT, MORIYA.
- Infrastructure: Favors leveraging public cloud services (Dropbox, OneDrive) for stealthy data transfer and exfiltration. (No explicit C2 domains or IPs mentioned, only the endpoints used for exfiltration).
## Implications
The group poses a severe business risk due to their focus on high-value government and critical infrastructure/telecom data. The use of kernel-level rootkits and legitimate cloud services for exfiltration significantly increases the difficulty of detection (stealth) and mitigation (trusting legitimate endpoints).
## Mitigations
- Implement robust defense mechanisms capable of detecting kernel-level rootkit behavior.
- Monitor outbound traffic to legitimate cloud storage providers (Dropbox, OneDrive) for anomalous or large-scale sensitive data transfers indicative of exfiltration.
- Focus on threat hunting to identify persistent footholds established by sophisticated evasion toolsets.