Earth Kasha, a cybercriminal group that has been active since 2019, is known for using the LODEINFO malware as a primary backdoor in its attacks. Initially, the group primarily targeted organizations in Japan through spear-phishing campaigns. However, in a new wave of attacks that started in early 2023, Earth Kasha expanded its focus to Taiwan and India, continuing its trend of targeting government agencies and advanced technology firms. The group has demonstrated an evolving approach, adapting its tactics, techniques, and tools to infiltrate these organizations and maintain a strong foothold in their networks.
A significant change in Earth Kasha’s recent campaign is its shift from traditional spear-phishing tactics to exploiting vulnerabilities in public-facing applications. The group has leveraged flaws in SSL-VPNs and file storage services to gain initial access. Notable vulnerabilities, including CVE-2023-28461 and CVE-2023-27997, have been actively targeted, allowing Earth Kasha to bypass defenses and penetrate organizations’ internal networks. Once inside, the group deploys a variety of backdoors, including LODEINFO, Cobalt Strike, and the newly discovered NOOPDOOR, enhancing its ability to maintain persistence and control over compromised systems.
The group’s post-exploitation activities are designed to gather valuable information for long-term goals, including data theft and lateral movement within compromised networks. Earth Kasha uses legitimate Microsoft tools to extract information about domain users, active directory configurations, and network details. Additionally, the group employs credential dumping techniques through custom malware like MirrorStealer and by abusing volume shadow copies to harvest sensitive data, including NTLM hashes. Once domain admin credentials are obtained, Earth Kasha deploys malicious components across the network and exfiltrates critical files, which are often compressed and transferred via RDP or other backdoor channels.
In terms of malware evolution, Earth Kasha has demonstrated remarkable adaptability. While LODEINFO remains a key tool in the group’s arsenal, it is no longer the sole option. New tools like NOOPDOOR have been observed, showing the group’s diversification of its attack methods. LODEINFO itself has undergone several updates, including changes in its execution procedure. The malware now utilizes DLL side-loading techniques and encrypted payloads embedded in digital signatures to avoid detection. This evolving toolkit, combined with the group’s sophisticated tactics, showcases Earth Kasha’s continued ability to adapt to security defenses and steal sensitive data across multiple regions and sectors.
