Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns

Technical perspectives

Based on the arsenals and TTPs, we believe Earth Yako may be related to a number of existing groups. However, since we could only observe partial technical overlaps between Earth Yako and the following groups, we note that this is not our final attribution. We found the overlaps similar with the following groups:

1.      Darkhotel

Darkhotel (a.k.a. DUBNIUM) is a threat actor observed to frequently target Japanese organizations in the past. Earth Yako’s method for initial access is similar to the procedure used by Darkhotel, which has been confirmed in other reports.

2.      APT10

APT10 (also known as menuPass, Stone Panda, Potassium, Red Apollo, CVNX, and ChessMaster) is a threat actor that has been actively attacking organizations in Japan, especially from 2016 to 2018. Trend Micro’s analysis has confirmed that Earth Yako’s MirrorKey malware uses the same encryption routine as the one used by APT10 malware families RedLeaves and ChChes in the past. However, there is no strong evidence that APT10 originally developed this routine, or that they possibly just reused a code from a publicly available library.

3.      APT29

APT29 (also known as IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, and CozyDuke) is a threat actor known to target Western government organizations. In 2022, APT29 used ISO and LNK files for initial access, similar to the TTPs of Earth Yako. It has also been reported to abuse Dropbox API as a C&C server for malware. However, we confirmed that the codes of the malware from APT29 is itself different from those of Earth Yako-related malware (TransBox, PlugBox, and ShellBox).

Other considerations

In addition to the technical similarities identified, we also look at the context surrounding the incidents. In attacking the academic and research sectors in Japan, and the fact that they target various industries based on the international affairs is similar to APT10. We observed lures using themes or discussions on economic security, energy, the Russia-Ukraine conflict, or other significant events surrounding East Asia. The threat actor has been conducting attacks using the LODEINFO malware in recent years. In particular, the attacks by Earth Yako and the attacks using LODEINFO are similar, and it has been reported that the organizations Earth Yako targeted were also the institutions involved in compromises using LODEINFO malware. However, as with the limitations identified in the “Technical Perspectives” section, we believe this is insufficient to connect Earth Yako with APT10.

Conclusion

Since 2022, Earth Yako has been actively attacking with new arsenal and TTPs. Although the targets of the compromise vary from time to time, it is believed that it commonly targets the academic and research sectors in Japan, both individuals belonging to these organizations and institutions as a whole. In November 2022, the National Police Agency and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) issued a warning about these attacks. One of the characteristics of the recent targeted attacks is that they shifted to targeting the individuals considered to have relatively weak security measures compared to companies and other organizations. This shift to targeting individuals over enterprises is highlighted by the targeting and abuse of Dropbox as it is considered a popular service in the region among users for personal use, but not for organizations.

It should also be noted that Earth Yako has been actively changing their targets and methods based on the significant topics concerning the targeted countries. For the targeted attacks, in addition to the groups continuously targeting the specific regions and industries, we identified several groups changing their targets and methods based on the current circumstances, including Earth Yako.

To mitigate the risks and impact of compromise from targeted compromise, it is necessary to not only focus on specific methods, malware, and threat actors, but also to collect a wider range of information, implement continuous monitoring and countermeasures, and inspect attack surfaces in organizations. We believe that attacks by Earth Yako are still ongoing, and therefore we believe that continued vigilance is necessary.

Indicators of Compromise (IOCs)

Read More HERE