A new study details the increasingly sophisticated nature of the malware toolsets used by Advanced Persistent Threat (APT) groups. Earth Ogiski.
“Over the past decade, this group has been coordinating the deployment of tools and malware against specific targets in Taiwan and more recently in Japan,” Trend Micro said. disclosed In last week’s tech profile.
Earth Aughisky, also known as Taidoor, is a cyber espionage group known for its ability to exploit legitimate accounts, software, applications, and other weaknesses in network design and infrastructure for its own ends.
Chinese threat actors are known to primarily target Taiwanese organizations, but victim patterns observed in late 2017 point to an expansion into Japan.
The most commonly targeted industries include government, telecommunications, manufacturing, heavy industry, technology, transportation, and healthcare.
Attack chains launched by this group typically utilize spear phishing as an intrusion vector, which is used to deploy the next stage backdoor. The main one of its tools is a remote access Trojan called . tie doll (aka Rhodan).
The group has also been associated with various malware families such as GrubbyRAT, K4RAT, LuckDLL, Serkdes, Taikite, and Taleret as part of their attempts to consistently update their arsenal to evade security software. .
Some of the other notable backdoors used by Earth Aughisky in the past are:-
- SiyBot (C2), a basic backdoor that uses public services such as Gubb and 30 Boxes for command and control
- TWTRAT abuses Twitter’s direct messaging feature for C2
- DropNetClient (aka Buxzop) using the Dropbox API for C2
Trend Micro’s attribution of malware strains to actors was based on similarities in source code, domains, and naming conventions, and analysis also revealed functional overlap between them.
The cybersecurity firm also linked Earth Aughisky’s activities to another APT actor codenamed by Airbus. pity tiger (alias APT24) based on the same dropper used in various attacks between April and August 2014.
2017, when the group set its sights on Japan and Southeast Asia, was also an inflection point as the volume of attacks dropped significantly since then.
Threat actors have a long lifespan, but recent changes in targeting and activity may suggest a shift in strategic goals, or the group is aggressively refining its malware and infrastructure.
“Groups like Earth Aughisky have sufficient resources at their disposal to flex their arsenal to conduct long-term cyber espionage,” said Trend Micro researcher CH Lei.
“Organizations should consider the downtime observed by this group’s attacks as a period of preparation and vigilance for when it becomes active again.”