Campaigns
Earth Baku 2.0: Revealing the Advanced Tactics Behind the APT Group’s Next-Gen Cyberespionage Campaign

Earth Baku 2.0: Revealing the Advanced Tactics Behind the APT Group’s Next-Gen Cyberespionage Campaign

Earth BakuPublic-Facing ApplicationsStealthVectorStealthReacherIIS servers
Earth Baku, an APT group linked to APT41, has expanded its operations beyond the Indo-Pacific to target Europe, the Middle East, and Africa, including countries like Italy, Germany, UAE, and Qatar. The group's recent tactics involve exploiting public-facing applications, particularly IIS servers, to gain initial entry for cyber attacks. Their sophisticated and persistent methods pose a significant challenge to global cybersecurity, highlighting the need for robust defensive measures.

Indicators of Compromise

parça.cdn78544.ru
www.mircoupdate.https443.net
www.sitennews.com
www.cdn7854.workers.dev

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


Application Layer Protocol: Web Protocols


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor for web traffic to/from known-bad or suspicious domains and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).


Account Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor logs and other sources of command execution history for actions that could be taken to gather information about accounts, including the use of calls to cloud APIs that perform account discovery.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

DS0022

File

File Access

Monitor access to file resources that contain local accounts and groups information such as /etc/passwd, /Users directories, and the SAM database.

If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.

DS0009

Process

Process Creation

Monitor for processes that can be used to enumerate user accounts and groups such as net.exe and net1.exe, especially when executed in quick succession.[9] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Reports & References2

Observed Countries6

AE (496)
DE (279)
GE (664)
IT (314)
QA (304)
RO (438)