Earth Krahang

Description

(Trend Micro) Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa. The threat actor exploits public-facing servers and sends spear phishing emails to deliver previously unseen backdoors.

Our research allowed us to identify the campaign’s multiple connections with a China-nexus threat actor we track as Earth Lusca. However, since the campaign employs independent infrastructure and unique backdoors, we believe it to be a separate intrusion set that we named Earth Krahang.

Names

Name	Name-Giver
Earth Krahang	Trend Micro

Country

• China

Motivation

• Information theft and espionage

First Seen

2022

Observed Sectors

• Defense
• Education
• Financial
• Government
• Healthcare
• Hospitality
• IT
• Manufacturing
• Media
• NGOs
• Retail
• Shipping and Logistics
• Telecommunications

Observed Countries

• Argentina
• Bangladesh
• Bolivia
• Brazil
• Cambodia
• Ecuador
• Egypt
• Hungary
• India
• Indonesia
• Israel
• Jordan
• Kazakhstan
• Kyrgyzstan
• Laos
• Malaysia
• Mexico
• Morocco
• Myanmar
• Nigeria
• Oman
• Pakistan
• Peru
• Romania
• Rwanda
• Saudi Arabia
• South Africa
• South Korea
• Sri Lanka
• Tajikistan
• Thailand
• Turkey
• UAE
• UK
• USA
• Uzbekistan
• Vietnam

Tools

• Cobalt Strike
• DinodasRAT
• PlugX
• Reshell
• ShadowPad Winnti

Information

• https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html

Other Information

Uuid

9adc7643-95e1-45a8-b459-b9bba22ef2b7

Last Card Change

2024-04-22