Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors

After collecting all the files into a password-protected archive, which is normally named after the host name, the archived RAR will be copied to the folder \\DC_server\sysvol\{domain}\Policies\{ID}\user\ via the SMB protocol. The folder “sysvol” contains all of AD policies and information, and this folder only exists on DC servers. We believe that the attackers move all the collected archives in the folder “sysvol” to utilize a native Windows mechanism called Distributed File System Replication (DFSR). It is a Windows feature that synchronizes AD policies across DC servers by replicating the contents of the “sysvol” folder among them. With this, the stolen archives can be automatically synchronized to all DC servers, enabling exfiltration through any one of them.

Attribution

Our analysis identified weak links to two groups, ToddyCat and Operation TunnelSnake. After a thorough examination, we determined that this campaign merited a separate designation, Earth Kurma.

The APT group ToddyCat was first disclosed in 2022. The “tailored loader,” mentioned in this ToddyCat report, was also found in the same victim machines infected by the TESDAT loaders. However, we did not find any process execution logs between these loaders. Also, they share similar exfiltration PowerShell scripts. The tool SIMPOBOXSPY used by Earth Kurma was also used by ToddyCat before.

Both Earth Kurma and ToddyCat highly targeted Southeast Asian countries. Reports on ToddyCat indicate that activities started in 2020. The timeline of their activities aligned closely to what we observed in Earth Kurma.

However, SIMPOBOXSPY is a simple tool that could be shared among groups, and we did not observe other exclusive tools that can be directly attributed to ToddyCat. Thus, we cannot conclusively link Earth Kurma to ToddyCat.

The second potentially related APT group is Operation TunnelSnake, which was also reported in 2021. In the report they used MORIYA, which uses the same code base as the MORIYA variant we found. Additionally, Operation TunnelSnake targeted countries in Southeast Asia. Nevertheless, we didn’t observe any similarity in the post-exploitation stages.

Security best practices

Earth Kurma remains highly active, continuing to target countries around Southeast Asia. They have the capability to adapt to victim environments and maintain a stealthy presence. They can also reuse the same code base from previously identified campaigns to customize their toolsets, sometimes even utilizing the victim’s infrastructure to achieve their goals.

Here are some best security practices to mitigate such threats:

• Enforce strict driver installation policies. Allow only digitally signed and explicitly approved drivers through Group Policies or application control solutions to prevent malicious rootkits.
• Strengthen Active Directory (AD) and DFSR controls. Secure AD’s sysvol directory and closely audit DFSR replication events to prevent misuse for stealthy data exfiltration.
• imit SMB communications. Restrict SMB protocol usage across the network to prevent lateral movement and unauthorized file transfers.

Proactive security with Trend Vision One™

Trend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This comprehensive approach helps you predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed by decades of cybersecurity leadership and Trend Cybertron, the industry’s first proactive cybersecurity AI, it delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation.

Trend Vision One Threat Intelligence

To stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and Threat Insights. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to prepare for emerging threats by offering comprehensive information on threat actors, their malicious activities, and their techniques. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and effectively respond to threats. 

Trend Vision One Intelligence Reports App [IOC Sweeping]

• Earth Kurma Uncovered: Cyber Threats to Southeast Asian Governments

Trend Vision One Threat Insights App

Hunting Queries

Trend Vision One Search App

Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.    

Scan for the Earth Kurma malware detections:

malName: (*DUNLOADER* OR *TESDAT* OR *DMLOADER* OR *MORIYA* OR *KRNRAT* OR *SIMPOBOXSPY* OR *ODRIZ* OR *KMLOG*) AND eventName: MALWARE_DETECTION

Indicators of Compromise (IoC)

The indicators of compromise for this entry can be found here. 

Read More HERE