APT41 Resurfaces as Earth Baku With New Cyberespionage Campaign

Trend Micro -

We have uncovered a cyberespionage campaign being perpetrated by Earth Baku, an advanced persistent threat (APT) group with a known history of carrying out cyberattacks under the alias APT41. This is not the group’s first foray into cyberespionage, and its long list of past cybercrimes also includes ransomware and cryptocurrency mining attacks.

Earth Baku deploys its ongoing campaign, which can be traced to as far back as July 2020, through multiple attack vectors that are designed based on different exploits or the infrastructure of its targeted victim’s environment:

• SQL injection to upload a malicious file • Installment through InstallUtil.exe in a scheduled task • Possibly a malicious link (LNK) file sent as an email attachment • Exploitation of the ProxyLogon vulnerability CVE-2021-26855 to upload a China Chopper web shell

This campaign uses previously unidentified shellcode loaders, which we have named StealthVector and StealthMutant, and a backdoor, which we have dubbed ScrambleCross. Earth Baku has developed these new malware tools to facilitate targeted attacks on public and private entities alike in specific industries that are located in the Indo-Pacific region. Thus far, the affected countries include India, Indonesia, Malaysia, the Philippines, Taiwan, and Vietnam. 

Figure 1. Countries affected by Earth Baku’s new

Read More: https://www.trendmicro.com/en_us/research/21/h/apt41-resurfaces-as-earth-baku-with-new-cyberespionage-campaign.html