Type
Campaign
Actors
Earth Kasha
Pub. date
November 19, 2024
Initial access
1-day vulnerability
Impact
Data exfiltration
Observed techniques
Vulnerability exploitationDLL Side-LoadingPhishingCredential theft
Observed tools
LODEINFOCobalt StrikeNOOPDOORMirrorStealer
Targeted technologies
FortiOSProself
References
https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html
Status
Finalized
Last edited
Nov 19, 2024 3:52 PM
Researchers discovered a new campaign by Earth Kasha, a threat group targeting Japan, Taiwan, and India since 2019, with connections to the broader APT10 umbrella. This recent campaign, beginning in 2023, employs updated TTPs, including exploiting vulnerabilities like CVE-2023-27997 (FortiOS/FortiProxy) for initial access. Earth Kasha uses a combination of malware, such as LODEINFO, NOOPDOOR, and MirrorStealer, to achieve persistence, steal credentials, and exfiltrate sensitive data. The group’s activities demonstrate overlaps with campaigns by other China-linked actors like Earth Tengshe and Volt Typhoon, suggesting potential 0-day sharing or third-party access brokers.