Listen to this Post

In recent months, a new advanced persistent threat (APT) group known as Earth Kurma has emerged as a formidable cybersecurity threat to Southeast Asia, particularly targeting government and telecommunications sectors. Since June 2024, Earth Kurma has conducted sophisticated attacks that leverage custom malware, rootkits, and cloud storage services to exfiltrate sensitive data from high-profile organizations in the Philippines, Vietnam, Thailand, and Malaysia. The tactics and tools used by this group pose significant risks to national security and business operations across the region.
Earth
The campaign, which dates back to November 2020, is notable for its use of advanced techniques and customized tools, making it an alarming security issue for the affected countries. Experts at Trend Micro have identified various rootkits and malware families used in the attacks, including KRNRAT and Moriya, which have been observed in previous espionage campaigns targeting organizations across Asia and Africa.
Earth
Earth
The attackers also deploy specialized loaders, such as DUNLOADER, TESDAT, and DMLOADER, which allow for the seamless execution of next-stage payloads. These payloads include Cobalt Strike Beacons, rootkits like KRNRAT and Moriya, and exfiltration malware. The use of living-off-the-land (LotL) techniques further enhances the stealth of these operations by exploiting legitimate system tools to install rootkits, rather than introducing easily detectable malware.
One of the most concerning aspects of Earth
Earth Kurma’s ability to adapt to different victim environments and maintain a stealthy presence is another factor that makes them a serious threat. This adaptability allows them to reuse code from previous campaigns and customize their toolsets to suit the specific needs of their targets. In some cases, the attackers have even used the victim’s infrastructure to carry out their objectives, making detection and mitigation even more challenging.
What Undercode Say:
The rise of Earth Kurma as a threat to Southeast Asia’s government and telecommunications sectors highlights a significant shift in the landscape of cyber threats in the region. While the use of advanced malware and rootkits is not new, the specific combination of techniques employed by Earth Kurma is concerning. Their ability to use cloud storage services for data exfiltration shows a clear understanding of the growing reliance on these platforms, which makes traditional cybersecurity measures less effective.
Additionally, the use of living-off-the-land (LotL) techniques, such as exploiting syssetup.dll for rootkit installation, is a troubling development. This approach reduces the likelihood of detection by conventional security tools, as it relies on trusted system processes to carry out malicious activities. As a result, organizations must evolve their cybersecurity strategies to account for these new tactics, moving beyond traditional signature-based detection methods and incorporating more sophisticated behavioral analysis tools.
The fact that Earth Kurma has been able to maintain a persistent foothold within affected networks for extended periods also indicates the group’s proficiency in staying undetected. This persistence poses a significant business risk, as attackers can continue to siphon off valuable data, monitor network activity, and potentially cause long-term damage to the reputation and financial stability of targeted organizations.
What’s more concerning is the
Another key takeaway is the importance of cloud security. The use of Dropbox and OneDrive as exfiltration channels underscores the need for enhanced monitoring of cloud storage and collaboration platforms. Security measures should extend beyond traditional perimeter defenses and focus on protecting data as it moves between endpoints and cloud services. Organizations should implement strict access controls, encryption, and continuous monitoring to mitigate the risks posed by such exfiltration tactics.
Fact Checker Results:
- Earth Kurma has been confirmed to use cloud services like Dropbox and OneDrive for data exfiltration, as indicated by Trend Micro and other cybersecurity firms.
– The APT
– The
References:
Reported By: thehackernews.com
Extra Source Hub:
https://stackoverflow.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2




