Earth Baxia

Description

(Trend Micro) In July, we observed suspicious activity targeting a government organization in Taiwan, with other APAC countries also likely targeted, attributed to the threat actor Earth Baxia. In these campaigns, Earth Baxia used spear-phishing emails and exploited CVE-2024-36401, a vulnerability in an open-source server for sharing geospatial data called GeoServer, as initial access vectors, deploying customized Cobalt Strike components on compromised machines. Additionally, we identified a new backdoor called EAGLEDOOR that supports multiple protocols. In this report, we will discuss their infection chain and provide a detailed analysis of the malware involved.

Names

Name	Name-Giver
Earth Baxia	Trend Micro

Country

• China

Motivation

• Information theft and espionage

First Seen

2024

Observed Sectors

• Energy
• Government

Observed Countries

• China
• Philippines
• South Korea
• Taiwan
• Thailand
• Vietnam

Tools

• Cobalt Strike
• EAGLEDOOR

Information

• https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html

Other Information

Uuid

801794ef-8778-4b5c-8220-ee83554e35c2

Last Card Change

2024-10-23