Full Report
Government and telecommunications sectors in Southeast Asia have become the target of a "sophisticated" campaign undertaken by a new advanced persistent threat (APT) group called Earth Kurma since June 2024. The attacks, per Trend Micro, have leveraged custom malware, rootkits, and cloud storage services for data exfiltration. The Philippines, Vietnam, Thailand, and Malaysia are among the
Analysis Summary
# Threat Actor: Earth Kurma
## Attribution & Identity
**Identification:** Advanced Persistent Threat (APT) group, described as "sophisticated."
**Aliases/Associations:** Shares overlaps in tools (SIMPOBOXSPY, exfiltration script) with APT group **ToddyCat**. Associated tools (Ladon) have previously been attributed to **TA428 (Vicious Panda)**, a China-linked group, though definitive attribution for Earth Kurma is inconclusive.
## Activity Summary
The campaign has been active since at least June 2024, with historical intrusion activities dating back to November 2020. The actor engages in targeted espionage, credential theft, and persistent data exfiltration. The activity is described as continuing and highly active.
## Tactics, Techniques & Procedures
- **Initial Access:** Currently unknown.
- **Execution/Persistence:** Leverages custom loaders (DUNLOADER, TESDAT, DMLOADER) to load next-stage payloads into memory. Deploys kernel-level rootkits (KRNRAT, Moriya). Uses Living-Off-the-Land (LotL) techniques, specifically abusing `syssetup.dll` to install rootkits.
- **Defense Evasion:** Tool hiding and traffic concealment (via KRNRAT). Moriya inspects incoming TCP packets for malicious payloads and injects shellcode into `svchost.exe`.
- **Credential Access:** Uses a keylogger referred to as KMLOG to harvest credentials.
- **Discovery/Lateral Movement:** Utilizes tools like NBTSCAN, Ladon, FRPC, WMIHACKER, and ICMPinger.
- **Exfiltration:** Targets specific document types (.pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx), archives them using WinRAR with a specific password into a temporary "tmp" folder, and uses bespoke tools (SIMPOBOXSPY, ODRIZ) to upload the archives to cloud storage.
## Targeting
- **Sectors:** Government and Telecommunications.
- **Geography:** Southeast Asia, prominently targeting the Philippines, Vietnam, Thailand, and Malaysia. (Moriya, associated with past espionage campaigns, was observed targeting organizations in Asia and Africa).
- **Victims:** High-profile organizations targeted in past associated espionage campaigns; current specific victims not detailed beyond sector/region.
## Tools & Infrastructure
- **Malware Families:**
* **Rootkits:** KRNRAT (amalgamation of open-source projects with C2 capabilities and process manipulation), Moriya (injects shellcode into `svchost.exe`).
* **Loaders:** DUNLOADER, TESDAT, DMLOADER.
* **Keylogger:** KMLOG.
* **Exfiltration Tools:** SIMPOBOXSPY (uploads to Dropbox), ODRIZ (uploads to OneDrive).
- **Other Tools:** Cobalt Strike Beacons, Ladon (open-source framework), FRPC, NBTSCAN, WMIHACKER, ICMPinger.
- **Infrastructure:** Cloud storage services, specifically Microsoft OneDrive and Dropbox, used for data exfiltration. Access relies on specific access tokens (Dropbox) or refresh tokens (OneDrive). C2 communication utilized by KRNRAT.
## Implications
The use of kernel-level rootkits and LotL techniques suggests a high level of stealth and a focus on maintaining a persistent foothold within victim networks. The reliance on trusted cloud platforms (Dropbox, OneDrive) for exfiltration increases the risk of data loss going undetected by traditional perimeter defenses. The threat is assessed as posing a **high business risk** due to targeted espionage.
## Mitigations
- Scrutinize network activity for anomalous use of trusted cloud storage services (Dropbox/OneDrive) for large data uploads.
- Enhance endpoint detection and response (EDR) capabilities to detect low-level process injection into `svchost.exe` or manipulation of system files like `syssetup.dll`.
- Monitor for the deployment and execution of known associated tools (e.g., SIMPOBOXSPY, ODRIZ, Ladon).
- Implement strict controls and monitoring over credential access mechanisms and keylogging activity (KMLOG).
- Harden systems against kernel-level manipulation, focusing on rootkit detection mechanisms.