Earth Krahang
| Actor Type | Commercial Provider |
|---|---|
| Attributed to Nation | China |
| Associated Threat Actor | i-SOON |
Earth Krahang is an intrusion set tracked by researchers at Trend Micro since early 2022. The group has been observed targeting government entities world wide, particularly in Southeast Asia. According to reporting, the group use spear phishing and exploitation of public facing servers to gain access to target networks.
The group show some connections to Earth Krahang but are thought to be a separate team, both potentially operating under the Chinese offensive cyber security company I-Soon.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Earth Krahang Threat Reports
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1595.003 | Wordlist Scanning | Reconnaissance |
| T1020 | Automated Exfiltration | Exfiltration |
| T1566.002 | Spearphishing Link | Initial Access |
| T1057 | Process Discovery | Discovery |
| T1087.002 | Domain Account | Discovery |
| T1036.007 | Double File Extension | Defense Evasion |
| T1583.001 | Domains | Resource Development |
| T1059.006 | Python | Execution |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1003.001 | LSASS Memory | Credential Access |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1110.003 | Password Spraying | Credential Access |
| T1059.001 | PowerShell | Execution |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1059.003 | Windows Command Shell | Execution |
| T1586.002 | Email Accounts | Resource Development |
| T1584.004 | Server | Resource Development |
| T1112 | Modify Registry | Defense Evasion |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1608.005 | Link Target | Resource Development |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1003.002 | Security Account Manager | Credential Access |
| T1588.001 | Malware | Resource Development |
| T1033 | System Owner/User Discovery | Discovery |
| T1595.002 | Vulnerability Scanning | Reconnaissance |
| T1588.003 | Code Signing Certificates | Resource Development |
| T1592 | Gather Victim Host Information | Reconnaissance |
| T1505.003 | Web Shell | Persistence |
| T1087.001 | Local Account | Discovery |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1047 | Windows Management Instrumentation | Execution |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1608.001 | Upload Malware | Resource Development |
| T1608.002 | Upload Tool | Resource Development |
| T1569.002 | Service Execution | Execution |
| T1583.003 | Virtual Private Server | Resource Development |
| T1595.001 | Scanning IP Blocks | Reconnaissance |
| T1203 | Exploitation for Client Execution | Execution |
| T1204.002 | Malicious File | Execution |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1114 | Email Collection | Collection |
| T1071.001 | Web Protocols | Command and Control |
| T1069.002 | Domain Groups | Discovery |
| T1534 | Internal Spearphishing | Lateral Movement |
| T1199 | Trusted Relationship | Initial Access |
| T1656 | Impersonation | Defense Evasion |