Earth Baku, a sophisticated advanced persistent threat (APT) group linked with APT41, has significantly expanded its cyber operations from the Indo-Pacific region to target Europe, the Middle East, and Africa (MEA). This shift in focus has brought the group’s malicious activities to countries such as Italy, Germany, the UAE, and Qatar, with signs of operations also emerging in Georgia and Romania. The group’s recent campaigns highlight a broadened scope and an evolution in their tactics, tools, and procedures (TTPs).
Central to Earth Baku’s operations are their use of public-facing applications, notably IIS servers, as initial entry points into target networks. Once inside, they deploy advanced malware tools including the Godzilla webshell, which provides initial control, and subsequent loaders like StealthVector and StealthReacher. These loaders are employed to deploy the latest backdoor, SneakCross, which features modular capabilities and utilizes Google services for command-and-control (C&C) communication, making it particularly challenging to detect and counter.
Earth Baku’s post-exploitation phase reveals a range of sophisticated tools used for maintaining persistence and exfiltrating data. The group leverages customized reverse tunneling tools, such as their own iox tool, Rakshasa, and Tailscale VPN, to secure persistent access to compromised systems. Additionally, MEGAcmd is utilized for efficient data exfiltration to the MEGA cloud storage service, showcasing the group’s capability to handle and extract large volumes of stolen data discreetly.
In light of these developments, organizations across the affected regions are urged to bolster their cybersecurity measures. Key recommendations include enforcing the principle of least privilege, regularly updating and patching systems, implementing a proactive incident response strategy, and adhering to the 3-2-1 backup rule. Employing advanced security technologies, like Trend Vision One™, can also help in identifying and mitigating such threats, providing a comprehensive defense against these increasingly sophisticated cyber attacks.
Reference:
