Earth Baku, a threat actor linked to APT41, has extended its operations beyond the Indo-Pacific, targeting regions across Europe, the Middle East, and Africa, including countries such as Italy, Germany, the UAE, and Qatar, with suspected activities in Georgia and Romania. The group exploits public-facing applications, notably IIS servers, as entry points, deploying advanced malware toolsets like the Godzilla webshell and customized loaders StealthVector and StealthReacher. These loaders employ techniques such as AES encryption and code obfuscation to launch backdoor components stealthily. Earth Baku's latest backdoor, SneakCross, utilizes Google services for command-and-control activities and features a modular design for easy updates. In their post-exploitation phase, they maintain persistence with tools like a customized iox tool, Rakshasa, and Tailscale, and use MEGAcmd for data exfiltration. This expansion and evolution in their tactics underscore the increasing complexity and threat posed by Earth Baku to global cybersecurity defenses.
Type
Campaign
Actors
APT41
Pub. date
August 9, 2024
Initial access
Software misconfig
Impact
Data exfiltration
Observed techniques
Webshell deployment
Observed tools
GodzillaStealthVectorStealthReacherSneakCrossRakshasaTailscale
Targeted technologies
Microsoft IIS
References
https://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html
Status
Finalized
Last edited
Aug 14, 2024 9:03 AM