Chinese APT 'Earth Krahang' Compromises 48 Gov't Orgs on 5 Continents

A previously unidentified Chinese espionage group has managed to breach at least 70 organizations across 23 countries, including 48 in the government space, despite using rather standard-fare tactics, techniques, and procedures (TTPs).

"Earth Krahang" doesn't seem to be a high-level military APT. In a new report, researchers from Trend Micro suggested that it may be one wing of iSoon, a private hack-for-hire operation contracted by the Chinese Communist Party (CCP). And fitting such a cybercrime operation, rather than employing ultra-sophisticated malware and stealth tactics, it uses an arsenal of largely open source and well-documented tools, plus one-day vulnerabilities and standard social engineering, to defeat its targets.

Despite this, its list of victims rivals that of the likes of Volt Typhoon, BlackTech, and Mustang Panda.

Having targeted no less than 116 organizations across 35 countries, the group has at least 70 confirmed compromises, including four dozen associated with various world governments. In one case, it managed to breach a wide range of organizations connected to 11 government ministries. Victims have also spanned the education and telecommunications sectors, finance, IT, sports, and more. The highest concentration of victims comes from Asia, but cases cover the Americas (Mexico, Brazil, Paraguay), Europe (Britain, Hungary), and Africa (Egypt, South Africa) as well.

"The use of open source tools to compromise government entities is notable, but not entirely surprising," says Callie Guenther, senior manager of cyber threat research at Critical Start. "Governments often have vast and complex IT infrastructures, which can lead to inconsistencies in security practices and make it difficult to defend against all types of attacks, including those using basic open source tools."

Earth Krahang's Intrusion Tactics

Some successful Chinese APTs distinguish themselves with unique zero-days or complex tactics they pull off better than everyone else.

Earth Krahang is more of a jack-of-all-trades.

Its first move is to scan the Web for public-facing servers of interest, such as those connected to government organizations. To check for vulnerabilities it can leverage, it uses one of any number of open source, off-the-shelf tools, including sqlmap, nuclei, xray, vscan, pocsuite, and wordpressscan. Two bugs in particular on which Earth Krahang likes to prey are CVE-2023-32315 — a command execution bug in the real-time collaboration server Openfire rated 7.5 by CVSS — and CVE-2022-21587 — a critical 9.8-rated command execution issue with the Web Applications Desktop Integrator in Oracle's E-Business Suite.

After it establishes a toehold on a public server, the group uses more open source software to scan for sensitive files, passwords (particularly for email), and other useful resources, like lonely subdomains that might point to further unmaintained servers. It also employs a number of brute force attacks — for example, using a list of common passwords to crack Microsoft Exchange servers via Outlook on the Web.

"While it may seem like open source should be easy to detect," says Jon Clay, vice president of threat intelligence at Trend Micro, "the reality is that there are many TTPs here that have to be found and detected. Also, the use of defense evasion tactics by this adversary can be utilized to ensure the victims are unable to defend."

Earth Krahang's Exploitation and Stealth Tactics

By the end of all this (and much more), the attacker can perform two primary actions: drop backdoors on compromised servers, and hijack email accounts.

The latter is of particular use. "The use of the legitimate systems and email accounts to support their attack is particularly interesting here, because this adversary uses legitimate accounts to fool a victim into thinking they are safe," Clay explains. With a list of high-value contacts and the legitimacy gained by using a bona fide account, the group sends out emails with subject lines that fit the bill — like "Malaysian Ministry of Defense Circular" — malicious URLs or attachments and file names that do the same — e.g. "On the visit of Paraguayan Foreign Minister to Turkmenistan.exe."

Whether via email or a vulnerability in a Web server, Earth Krahang's various targets end up downloading one or multiple backdoors.

In its earliest attacks, circa 2022, the group used "RESHELL," a rather simple custom-made .NET tool for collecting information, dropping files, and executing system commands, with AES-encrypted command-and-control (C2) communication.

In 2023, the group moved to "XDealer," which has further capabilities including keylogging, screenshotting, and stealing from the clipboard. Besides being compatible with both Windows and Linux, XDealer is also notable because some of its loaders contain valid code-signing certificates. Trend Micro speculates that these certificates — one belonging to a legitimate human resources company, and the other to a game development company — were likely stolen to provide an extra layer of cover when downloading the malware to new systems.

Earth Krahang has also made use of ancient threats like PlugX and ShadowPad, and it frequently deploys Cobalt Strike in combination with another open source tool (RedGuard) that prevents cybersecurity analysts from pinning down its C2 infrastructure.

Because the threat actor is relatively straight-shooting, Guenther suggests that "standard best practices are recommended to protect against these TTPs. Organizations should enhance their email security to defend against spear phishing, regularly update and patch their systems to protect against known vulnerabilities, and employ network segmentation to limit the spread of an attacker within their networks. Monitoring for abnormal network traffic and unusual access patterns can also help in early detection of such campaigns."