A new study details the increasingly sophisticated nature of the malware toolsets used by Advanced Persistent Threat (APT) groups. Earth Ogiski.

“Over the past decade, this group has been coordinating the deployment of tools and malware against specific targets in Taiwan and more recently in Japan,” Trend Micro said. disclosed In last week’s tech profile.

Earth Aughisky, also known as Taidoor, is a cyber espionage group known for its ability to exploit legitimate accounts, software, applications, and other weaknesses in network design and infrastructure for its own ends.

Chinese threat actors are known to primarily target Taiwanese organizations, but victim patterns observed in late 2017 point to an expansion into Japan.

cyber security

The most commonly targeted industries include government, telecommunications, manufacturing, heavy industry, technology, transportation, and healthcare.

Attack chains launched by this group typically utilize spear phishing as an intrusion vector, which is used to deploy the next stage backdoor. The main one of its tools is a remote access Trojan called . tie doll (aka Rhodan).

The group has also been associated with various malware families such as GrubbyRAT, K4RAT, LuckDLL, Serkdes, Taikite, and Taleret as part of their attempts to consistently update their arsenal to evade security software. .

Cyber ​​spy group Earth Aughisky

Some of the other notable backdoors used by Earth Aughisky in the past are:-

  • SiyBot (C2), a basic backdoor that uses public services such as Gubb and 30 Boxes for command and control
  • TWTRAT abuses Twitter’s direct messaging feature for C2
  • DropNetClient (aka Buxzop) using the Dropbox API for C2

Trend Micro’s attribution of malware strains to actors was based on similarities in source code, domains, and naming conventions, and analysis also revealed functional overlap between them.

cyber security

The cybersecurity firm also linked Earth Aughisky’s activities to another APT actor codenamed by Airbus. pity tiger (alias APT24) based on the same dropper used in various attacks between April and August 2014.

2017, when the group set its sights on Japan and Southeast Asia, was also an inflection point as the volume of attacks dropped significantly since then.

Threat actors have a long lifespan, but recent changes in targeting and activity may suggest a shift in strategic goals, or the group is aggressively refining its malware and infrastructure.

“Groups like Earth Aughisky have sufficient resources at their disposal to flex their arsenal to conduct long-term cyber espionage,” said Trend Micro researcher CH Lei.

“Organizations should consider the downtime observed by this group’s attacks as a period of preparation and vigilance for when it becomes active again.”



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog