Earth Kurma APT Campaign: Targeting Southeast Asia’s Government and Telecom Sectors

A sophisticated APT (Advanced Persistent Threat) group, named Earth Kurma, has been revealed as a major cyber threat targeting Southeast Asia’s government and telecom sectors. This group has been active for several years, leveraging highly customized malware, rootkits, and cloud storage for espionage, credential theft, and data exfiltration. This ongoing campaign poses a significant business risk for organizations in the region, as it employs advanced evasion techniques to maintain long-term, undetected access.

Trend Micro, a leading cybersecurity firm, recently uncovered the campaign, which specifically targets countries such as the Philippines, Vietnam, Thailand, and Malaysia. Earth Kurma’s primary objective is to compromise sensitive government and telecommunications data, raising concerns about national security. Experts suggest that the threat actors have been able to remain hidden for extended periods, gaining unprecedented access to their victims’ networks without detection.

A Detailed Look at Earth

Since June 2024, Trend Micro has been investigating a sophisticated APT campaign targeting multiple Southeast Asian nations, with a particular focus on the Philippines, Vietnam, and Malaysia. This group, now dubbed Earth Kurma, has primarily concentrated on government sectors, aiming to exfiltrate critical data.

The researchers outlined that Earth Kurma’s primary method of maintaining stealth and persistence within compromised networks is through the deployment of rootkits. These rootkits help the attackers avoid detection while they continue their operations. Notably, the group has been leveraging cloud services like Dropbox for data exfiltration.

Earth Kurma is suspected of being a relatively new APT group, first active since 2020, targeting Southeast Asia’s government and telecom sectors. It is believed that their primary goal is data theft, with cloud services being their favored exfiltration method. The tools employed by Earth Kurma include custom malware such as TESDAT and SIMPOBOXSPY, alongside rootkits like KRNRAT and MORIYA.

The infection process used by Earth Kurma involves several stages. The threat actors utilize tools such as NBTSCAN, Ladon, FRPC, WMIHACKER, and ICMPinger to facilitate lateral movement, network scanning, and malware deployment across victim systems. In the persistence stage, Earth Kurma deploys loaders like DUNLOADER, TESDAT, and DMLOADER to execute payloads in memory and exfiltrate sensitive data through cloud storage services like Dropbox and OneDrive. Rootkits such as KRNRAT and MORIYA are then used to maintain stealth and evade detection.

Interestingly, the researchers note that there are overlaps in the tools and tactics used by Earth Kurma and other known APT groups. For example, the MORIYA rootkit shares similarities with those used in Operation TunnelSnake, while SIMPOBOXSPY and the exfiltration script resemble those used by the ToddyCat group. However, due to differences in attack patterns, attribution remains inconclusive, leading to the naming of the new group Earth Kurma.

Between 2022 and 2024, Earth Kurma utilized advanced techniques, including the use of Cobalt Strike beacons, loaders, and rootkits, to maintain long-term access to compromised networks. One notable tactic employed by the group is the use of “living-off-the-land” binaries like syssetup.dll to install their rootkits and other malicious payloads, further enhancing their ability to remain undetected.

What Undercode Say:

The Earth Kurma campaign is a textbook example of how modern APT groups are evolving to leverage increasingly sophisticated tools and techniques to target high-value sectors such as government and telecommunications. This campaign highlights the rising trend of cyber espionage, where attackers are not only interested in stealing data but also in maintaining long-term, undetected access to sensitive networks.

The use of cloud services for exfiltration is particularly noteworthy. This approach minimizes the risk of detection by bypassing traditional network monitoring and leveraging trusted services like Dropbox and OneDrive. This tactic shows the growing sophistication of APT actors who are willing to adapt to the environment of their targets in order to stay one step ahead of detection systems.

What stands out is the highly targeted nature of the attacks. Earth Kurma isn’t just randomly compromising networks; they are focusing on specific government and telecom sectors in Southeast Asia. This suggests that the threat actors are well-versed in the geopolitical landscape and may be conducting espionage for state-sponsored motives. The ability to remain hidden for long periods, sometimes even using the victim’s infrastructure to achieve their goals, further demonstrates the advanced capabilities of Earth Kurma.

The ongoing evolution of the APT landscape, marked by new groups like Earth Kurma, underscores the growing importance of robust cybersecurity measures, especially for government entities and critical infrastructure sectors. The traditional methods of detecting and mitigating such attacks, such as firewalls and intrusion detection systems, may no longer be sufficient. This shift calls for more proactive measures, including threat hunting, continuous monitoring, and greater emphasis on the human element of cybersecurity.

Fact Checker Results

Advanced Tools: The tools and techniques used by Earth Kurma, such as custom malware and rootkits, are consistent with those employed by other known APT groups, validating the sophistication of the campaign.
Cloud Storage Use: The reliance on cloud services like Dropbox and OneDrive for data exfiltration represents an emerging tactic among APT groups, making it harder to detect traditional data breaches.
Attribution Challenges: While overlaps exist with other threat groups, the distinct attack patterns of Earth Kurma make conclusive attribution difficult, suggesting the presence of a highly skilled, adaptable team.