campaign image
Earth Baku 2.0: Revealing the Advanced Tactics Behind the APT Group’s Next-Gen Cyberespionage Campaign
Earth Baku Public-Facing Applications StealthVector StealthReacher IIS servers

Earth Baku, an APT group linked to APT41, has expanded its operations beyond the Indo-Pacific to target Europe, the Middle East, and Africa, including countries like Italy, Germany, UAE, and Qatar. The group's recent tactics involve exploiting public-facing applications, particularly IIS servers, to gain initial entry for cyber attacks. Their sophisticated and persistent methods pose a significant challenge to global cybersecurity, highlighting the need for robust defensive measures.

Domains Source Last Update
parça.cdn78544.ru SOCRadar 2024-08-28
www.mircoupdate.https443.net SOCRadar 2024-08-28
www.sitennews.com SOCRadar 2024-08-28
www.cdn7854.workers.dev SOCRadar 2024-08-28
Hashes Source Last Update
7463700ec5768d4af6549028465f978059611555aa8e22e2b7c664b1cdbfa9ae SOCRadar 2024-08-28
d72f202c1d684c9a19f075290a60920f SOCRadar 2024-08-28
cdcbd9c25e06ac6da5497fa19459d0007449ec1a3e6bc591334db6fb3598aecb SOCRadar 2024-08-28
8d8161a7fcd835781820e4921039525975f9324d SOCRadar 2024-08-28
5b46b63e31f307757cedf305005ce9990a07cbf4 SOCRadar 2024-08-28
28072e4a3bc3376aba096045824f4c34 SOCRadar 2024-08-28
4141c4b827ff67c180096ff5f2cc1474 SOCRadar 2024-08-28
bcac2cbda36019776d7861f12d9b59c4 SOCRadar 2024-08-28
ec10a9396dca694fe64366e0dab82d046cf92457f97efd50a68ceb85adef6b74 SOCRadar 2024-08-28
66fb63e6e49c2c201a0b6204e1d0269812a4b662 SOCRadar 2024-08-28
72070b165d1f11bd4d009a81bf28a3e5 SOCRadar 2024-08-28
144550355b3dfb67a0ef65dc7f69470b4faf4ca1 SOCRadar 2024-08-28
8405d742405d3a6d3bda6bc49630dd5f3604a3d6ae27cbd533e425f8abbaafdc SOCRadar 2024-08-28
073b35ecbd1833575fbfb1307654fc532fd938482e09426cfb0541ad87a04f75 SOCRadar 2024-08-28
73eaba82ef1c502448e533007e92b1afa879b09f85f28b71648668ea62839ff5 SOCRadar 2024-08-28
e5f1360d4c299bb32e33e081115f2b520251a983af2ebc649b4b9b70308246fe SOCRadar 2024-08-28
d3fdf103e8585192452bb43e902f009c7bc066a3 SOCRadar 2024-08-28
e9625ce47b87085b66e0ee6e17ecb333 SOCRadar 2024-08-28
3872c38625ca62de3bcbe29740c1a0b8921fcf48 SOCRadar 2024-08-28
2fce25afb8a29fcd526f61ba30f14dcc7ecfad3e SOCRadar 2024-08-28
f062183da590aba5e911d2392bc29181 SOCRadar 2024-08-28
7e63c6b9ab3b32beffbc1eb23d6ca7cc59616b0722f0dd4f0d893c0a1724f5d7 SOCRadar 2024-08-28
54a0dd2003a6dfc5fd035ba3aabb9fd96b5bd09e SOCRadar 2024-08-28
c33247bc3e7e8cb72133e47930e6ddad SOCRadar 2024-08-28
ab56501167fe689fe55f6e6ddc3bb91952299bd5c3ef004b02bf1c3b4061c7cf SOCRadar 2024-08-28
21fc0f50d545c0a373380934dc61c423c8a31d8c3e6eae4f8a35149ad9962d88 SOCRadar 2024-08-28
e4360c0aa995e6e896b22bb7725a6c9b189be8606e7cbbc8b6e80c606358649d SOCRadar 2024-08-28
ee7faba27a2c5f7acb5b06e94aa318e0 SOCRadar 2024-08-28
7f24bc080281d250ec88493e5803e488721a17c9382cd54ba8dfbcb785f23a88 SOCRadar 2024-08-28
c6a3a1ea84251aed908702a1f2a565496d583239c5f467f5dcd0cfc5bfb1a6db SOCRadar 2024-08-28
a50f85c71b69563ba42bf04c937e1063244ca4957231d3adac76f1c96ab42d3c SOCRadar 2024-08-28
f0953ed4a679b987a2da955788737602 SOCRadar 2024-08-28
ec5a96f42aeccdf9a3ae4c3650689606c8539fd65c0b47f30887afecb901be43 SOCRadar 2024-08-28
a555bb5b6b0e9edf49c4f6bfc8638f155dc1986a SOCRadar 2024-08-28
2cc76a0434a1d489c1547c7021a3dd68499141c3 SOCRadar 2024-08-28
22a50cea6ad67a7e8582d2cd4cdc3eaaf57c0fbe8cd062a9b15710166e255a86 SOCRadar 2024-08-28
166b6dcdac31f4bf51e4b20a7c3f7d4f7017ca0c30fa123d5591e25c3fa66107 SOCRadar 2024-08-28
13c1c6752006667697cd4f72a2f1b8616af2b60e SOCRadar 2024-08-28
07aa971f0791b06dd442d4c7a49c1d3d27a1cbb16602f731e870b5ef50edf69e SOCRadar 2024-08-28
c02accc26a389397fb172f83258baa8a974986ffd706ba708a3b0a679f61be56 SOCRadar 2024-08-28
ba6d77f358b4fa00dda5d0e2fdd21c761d154f95 SOCRadar 2024-08-28
7586e58a569c2a07d0b3a710616f48833a040bf3fc57628bbdec7fcb462d565a SOCRadar 2024-08-28
bc85062de0f70afd44bb072b0b71a8cc SOCRadar 2024-08-28
83de8917bf0ac1d670acf27431015215db872b7291979312dd65e30d99806abb SOCRadar 2024-08-28
1c88150ec85a07c3db5f18c5eedcb0b653467b897af01d690ed996e5e07ba8e3 SOCRadar 2024-08-28
f42867e74bbc41767bffacc0de7bfa5e SOCRadar 2024-08-28
0faddbe1713455e3fc9777ec45adf07b28e24f4c3ddca37586c2aa6b539898c0 SOCRadar 2024-08-28
3e52c310c6556367ff9e18448bc41719e603d1cbbdafdcba736c6565529617b6 SOCRadar 2024-08-28
Ipv4s Source Last Update
212.87.212.115 SOCRadar 2024-08-28
78.108.216.20 SOCRadar 2024-08-28
5.182.207.28 SOCRadar 2024-08-28
Cves Source Last Update
Emails Source Last Update
Domains Insert Date

MITIGATION

Application Layer Protocol: Web Protocols


ID

Mitigation

Description

M1031

Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.


Account Discovery


ID

Mitigation

Description

M1028

Operating System Configuration

Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. [8]

M1018

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.




Valid Accounts



ID

Mitigation

Description

M1036

Account Use Policies

Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[71]

M1015

Active Directory Configuration

Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead.

M1013

Application Developer Guidance

Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).

M1027

Password Policies

Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.[72] When possible, applications that use SSH keys should be updated periodically and properly secured.

Policies should minimize (if not eliminate) reuse of passwords between different user accounts, especially employees using the same credentials for personal accounts that may not be defended by enterprise security resources.

M1026

Privileged Account Management

Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. [3] [73] These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. [74]

M1018

User Account Management

Regularly audit user accounts for activity and deactivate or remove any that are no longer needed.

M1017

User Training

Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.

REMEDIATION


Application Layer Protocol: Web Protocols


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor for web traffic to/from known-bad or suspicious domains and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Account Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor logs and other sources of command execution history for actions that could be taken to gather information about accounts, including the use of calls to cloud APIs that perform account discovery.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

DS0022

File

File Access

Monitor access to file resources that contain local accounts and groups information such as /etc/passwd, /Users directories, and the SAM database.

If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.

DS0009

Process

Process Creation

Monitor for processes that can be used to enumerate user accounts and groups such as net.exe and net1.exe, especially when executed in quick succession.[9] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

CONCLUSION

Earth Baku has notably expanded its operations, extending from the Indo-Pacific region to target Europe and the MEA since late 2022. This campaign showcases the group’s advanced techniques, including the exploitation of public-facing applications like IIS servers for initial access, followed by the deployment of sophisticated malware such as the Godzilla webshell for control. The use of advanced loaders like StealthVector and StealthReacher to stealthily launch backdoor components, along with the modular backdoor SneakCross, highlights the group's evolving tactics.


Additionally, Earth Baku employs various tools during post-exploitation, including a customized iox tool, Rakshasa, and TailScale for persistence, as well as MEGAcmd for efficient data exfiltration. These developments underscore the group’s increasing sophistication and present significant challenges for cybersecurity defenses.


To counter such advanced threats, organizations need robust cybersecurity measures. Implementing the principle of least privilege, regularly updating systems, enforcing strict patch management, and developing proactive incident response strategies are essential steps. The 3-2-1 backup rule also ensures data integrity, even in the event of an attack.


Organizations should consider deploying advanced security technologies such as SOCRadar's Extended Threat Intelligence, which offers continuous attack surface identification and comprehensive prevention, detection and response capabilities. Backed by advanced threat research, intelligence and artificial intelligence, this feature significantly improves the overall security posture. In addition, the Extended Detection and Response (XDR) service provides expert threat monitoring, correlation and analysis, delivering powerful protection without overburdening IT teams, enabling organisations to scale securely with the cloud.
File Name Description Actions
Earth Baku Report 2.pdf We state with confidence that Earth Longzhi is related to or is a subgroup of APT41 based on the following reasons:
Earth Baku Report.pdf This research paper covers the technical details of a new cyberespionage campaign that we believe can be traced back to the notorious advanced persistent threat (APT) group Earth Baku
APT Name Aliases Target Countries Source Countries Total IOCs
timeline History Timeline
  • Wed, 28 Aug 2024 16:23:05 GMT
    New IOC's Added

    Total 55 IOC's added.
  • Wed, 28 Aug 2024 14:09:42 GMT
    New Report Added

    An Analysis of Multiple Campaigns by APT41’s Subgroup, Earth Longzhi report added.
  • Wed, 28 Aug 2024 14:07:03 GMT
    New Report Added

    Earth Baku Report report added.
  • Wed, 28 Aug 2024 13:13:19 GMT
    Created!

    New Campaign created.
  • Fri, 09 Aug 2024 00:00:00 GMT
    Earth Baku’s Latest Campaign
    The group has updated its tools, tactics, and procedures (TTPs) in more recent campaigns, making use of public-facing applications such as IIS servers as entry points for attacks, after which they deploy sophisticated malware toolsets on the victim’s environment, including the loaders StealthVector and StealthReacher, and the modular backdoor SneakCross.
  • Thu, 01 Dec 2022 00:00:00 GMT
    Geographical Expansion
    Earth Baku expanded its operations beyond the Indo-Pacific to Europe, the Middle East, and Africa, targeting countries such as Italy, Germany, UAE, and Qatar.
  • Sat, 01 Oct 2022 00:00:00 GMT
    Infrastructure Observations
    Connections to Earth Baku's infrastructure were traced back to Georgia and Romania, suggesting these countries were also targeted.
  • Tue, 01 Mar 2022 00:00:00 GMT
    Global Reach
    Earth Baku's activities were detected in countries like India, Indonesia, Malaysia, the Philippines, Taiwan, and Vietnam, targeting enterprises and government entities.
  • Fri, 16 Jul 2021 00:00:00 GMT
    Attack Expansion
    Earth Baku expanded its target regions to include more countries in the Indo-Pacific region, exploiting public-facing applications and distributing malware via SQL injection and email attachments.
  • Mon, 01 Mar 2021 00:00:00 GMT
    ProxyLogon Exploitation
    Earth Baku exploited the ProxyLogon vulnerability (CVE-2021-26855) in Microsoft Exchange Servers to deploy China Chopper web shells and subsequently StealthVector.
  • Thu, 01 Oct 2020 00:00:00 GMT
    Toolset Update
    The group started deploying the StealthVector shellcode loader, which uses various evasion techniques and is actively developed.
  • Wed, 01 Jul 2020 00:00:00 GMT
    New Campaign Initiation
    Earth Baku launched a new campaign, introducing the ScrambleCross backdoor along with the use of Cobalt Strike and a new shellcode loader, StealthMutant.
  • Thu, 01 Nov 2018 00:00:00 GMT
    Initial Observations
    Earth Baku began using tools like Cobalt Strike, Crosswalk, and Metasploit in their cyber espionage campaigns.
Subscribe