Cyber Threat Report: 'Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks'

Report Author	Trend Micro
Publication Date	2024-03-18
Original Reporting	Source
Attributed to Nation	China
Related Intrusion Sets	Earth Krahang , Earth Lusca
Related Threat Actors	i-SOON
Identified CVEs	CVE-2016-5195 , CVE-2022-21587 , CVE-2021-4034 , CVE-2021-22555 , CVE-2023-32315
Victim Sectors	Healthcare, Defense, Retail, Education, Financial Services, Non Profit, National Government, Technology, Manufacturing

This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed targeting government entities globally, with a focus on Southeast Asia. According to the report, Earth Krahang uses spear-phishing, vulnerability scanning, and custom backdoors like RESHELL and XDealer to achieve cyberespionage objectives. The APT has been observed using compromised infrastructure of one government entity to launch attacks on other government entities, leveraging trust and bypassing security measures. According to the report, '48 government organizations were compromised, with a further 49 other government entities being targeted'. The researchers identify potential links to Earth Lusca (but consider them as two distinct intrusion sets) and Chinese company I-Soon.

Cyber Threat Graph Context

Explore how this report relates to the wider threat graph

Mitigations to defend against the techniques in this report

Identified MITRE ATT&CK Techniques

ATT&CK ID	Title	Associated Tactics
T1595.003	Wordlist Scanning	Reconnaissance
T1020	Automated Exfiltration	Exfiltration
T1566.002	Spearphishing Link	Initial Access
T1057	Process Discovery	Discovery
T1087.002	Domain Account	Discovery
T1036.007	Double File Extension	Defense Evasion
T1583.001	Domains	Resource Development
T1059.006	Python	Execution
T1210	Exploitation of Remote Services	Lateral Movement
T1003.001	LSASS Memory	Credential Access
T1574.002	DLL Side-Loading	Defense Evasion, Persistence, Privilege Escalation
T1110.003	Password Spraying	Credential Access
T1059.001	PowerShell	Execution
T1543.003	Windows Service	Persistence, Privilege Escalation
T1059.003	Windows Command Shell	Execution
T1586.002	Email Accounts	Resource Development
T1584.004	Server	Resource Development
T1112	Modify Registry	Defense Evasion
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1608.005	Link Target	Resource Development
T1078.003	Local Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1036.005	Match Legitimate Name or Location	Defense Evasion
T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation
T1003.002	Security Account Manager	Credential Access
T1588.001	Malware	Resource Development
T1033	System Owner/User Discovery	Discovery
T1595.002	Vulnerability Scanning	Reconnaissance
T1588.003	Code Signing Certificates	Resource Development
T1592	Gather Victim Host Information	Reconnaissance
T1505.003	Web Shell	Persistence
T1087.001	Local Account	Discovery
T1021.006	Windows Remote Management	Lateral Movement
T1047	Windows Management Instrumentation	Execution
T1539	Steal Web Session Cookie	Credential Access
T1133	External Remote Services	Initial Access, Persistence
T1140	Deobfuscate/Decode Files or Information	Defense Evasion
T1608.001	Upload Malware	Resource Development
T1608.002	Upload Tool	Resource Development
T1569.002	Service Execution	Execution
T1583.003	Virtual Private Server	Resource Development
T1595.001	Scanning IP Blocks	Reconnaissance
T1203	Exploitation for Client Execution	Execution
T1204.002	Malicious File	Execution
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1114	Email Collection	Collection
T1071.001	Web Protocols	Command and Control
T1069.002	Domain Groups	Discovery
T1534	Internal Spearphishing	Lateral Movement
T1199	Trusted Relationship	Initial Access
T1656	Impersonation	Defense Evasion
T1573	Encrypted Channel	Command and Control
T1007	System Service Discovery	Discovery
T1572	Protocol Tunneling	Command and Control
T1190	Exploit Public-Facing Application	Initial Access
T1590	Gather Victim Network Information	Reconnaissance
T1566.001	Spearphishing Attachment	Initial Access
T1119	Automated Collection	Collection
T1105	Ingress Tool Transfer	Command and Control

Cyber Threat Report: 'Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks'

Cyber Threat Graph Context

Mitigations to defend against the techniques in this report

Disable or Remove Feature or Program

Pre-compromise

User Account Management

Restrict Web-Based Content

Software Configuration

User Training

Audit

Operating System Configuration

Limit Software Installation

Execution Prevention

Antivirus/Antimalware

Privileged Account Management

Exploit Protection

Application Isolation and Sandboxing

Network Segmentation

Threat Intelligence Program

Vulnerability Scanning

Update Software

Password Policies

Behavior Prevention on Endpoint

Credential Access Protection

Privileged Process Integrity

Application Developer Guidance

Restrict File and Directory Permissions

Account Use Policies

Multi-factor Authentication

Code Signing

Restrict Registry Permissions

Filter Network Traffic

Active Directory Configuration

Limit Access to Resource Over Network

Encrypt Sensitive Information

Network Intrusion Prevention

SSL/TLS Inspection

Remote Data Storage

Identified MITRE ATT&CK Techniques