A sophisticated cyberattack campaign by the Earth Kurma Advanced Persistent Threat (APT) group has been identified, targeting government and telecommunications organizations in Southeast Asia. This campaign, uncovered by cybersecurity researchers, poses significant risks through the use of custom malware, rootkits, and cloud storage exploitation for espionage and data theft.

Targeted Regions and Impact

The Earth Kurma APT has focused its efforts on countries such as the Philippines, Vietnam, Thailand, and Malaysia. The attackers have potentially compromised sensitive data within government and telecommunications sectors, maintaining undetected access to networks for extended periods. This prolonged infiltration raises concerns about the security and confidentiality of critical information.

Technical Details of the Attack

Since its discovery in June 2024, Earth Kurma has been linked to a series of attacks primarily aimed at data exfiltration. The group employs advanced techniques, including the use of rootkits to ensure persistence and conceal their activities from detection.

  • Malware Tools: Earth Kurma utilizes custom tools such as TESDAT, SIMPOBOXSPY, and rootkits like KRNRAT and MORIYA.
  • Cloud Services Exploitation: The group leverages cloud services like Dropbox for data theft, complicating detection and mitigation efforts.

Infection Chain and Techniques

The Earth Kurma APT employs a range of tools for lateral movement, network scanning, and malware deployment. These include NBTSCAN, Ladon, FRPC, WMIHACKER, and ICMPinger. Additionally, they use a custom keylogger, KMLOG, to capture and disguise logs as ZIP files.

Persistence and Evasion Strategies

To maintain a foothold in compromised systems, Earth Kurma deploys loaders such as DUNLOADER, TESDAT, and DMLOADER. These tools facilitate the execution of payloads in memory and enable data exfiltration via cloud platforms like Dropbox and OneDrive. Rootkits such as KRNRAT and MORIYA are employed to evade detection by security systems.

Attribution Challenges

While there are overlaps between Earth Kurma's tools and those of other known APT groups, conclusive attribution remains elusive. The MORIYA rootkits share similarities with those used in Operation TunnelSnake, and SIMPOBOXSPY is linked to another APT group, ToddyCat. However, distinct attack patterns prevent definitive attribution to a single group.

The link has been copied!