{ "name": "A Dive into Latest Campaign", "slug": "a-dive-into-latest-campaign", "description": "Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying sophisticated malware toolsets such as the Godzilla webshell, StealthVector, StealthReacher, and SneakCross. StealthVector and StealthReacher are customized loaders that stealthily launch backdoor components, while SneakCross is a modular backdoor utilizing Google services for command-and-control activities. During post-exploitation, Earth Baku employs tools like a customized iox tool, Rakshasa, and Tailscale for persistence, along with MEGAcmd for data exfiltration.", "published": "2024-08-09T18:15:47+00:00", "created_at": "2024-08-09T18:15:47+00:00", "modified_at": "2024-08-09T18:47:58+00:00", "created_at_opencti": "2024-08-09T18:15:47+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-08-09", "apt", "backdoor", "cobalt strike", "cybercrime", "espionage", "godzilla", "loader", "megacmd", "rakshasa", "sneakcross", "stealthreacher", "stealthvector", "tailscale" ], "related_entities": { "observables": [ { "id": "", "name": "5.182.207.28" }, { "id": "", "name": "212.87.212.115" }, { "id": "", "name": "78.108.216.20" }, { "id": "", "name": "www.mircoupdate.https443.net" }, { "id": "", "name": "www.sitennews.com" }, { "id": "", "name": "track.cdn78544.ru" }, { "id": "", "name": "ec5a96f42aeccdf9a3ae4c3650689606c8539fd65c0b47f30887afecb901be43" }, { "id": "", "name": "e5f1360d4c299bb32e33e081115f2b520251a983af2ebc649b4b9b70308246fe" }, { "id": "", "name": "ec10a9396dca694fe64366e0dab82d046cf92457f97efd50a68ceb85adef6b74" }, { "id": "", "name": "e4360c0aa995e6e896b22bb7725a6c9b189be8606e7cbbc8b6e80c606358649d" }, { "id": "", "name": "cdcbd9c25e06ac6da5497fa19459d0007449ec1a3e6bc591334db6fb3598aecb" }, { "id": "", "name": "c02accc26a389397fb172f83258baa8a974986ffd706ba708a3b0a679f61be56" }, { "id": "", "name": "a50f85c71b69563ba42bf04c937e1063244ca4957231d3adac76f1c96ab42d3c" }, { "id": "", "name": "ab56501167fe689fe55f6e6ddc3bb91952299bd5c3ef004b02bf1c3b4061c7cf" }, { "id": "", "name": "8405d742405d3a6d3bda6bc49630dd5f3604a3d6ae27cbd533e425f8abbaafdc" }, { "id": "", "name": "7f24bc080281d250ec88493e5803e488721a17c9382cd54ba8dfbcb785f23a88" }, { "id": "", "name": "83de8917bf0ac1d670acf27431015215db872b7291979312dd65e30d99806abb" }, { "id": "", "name": "7e63c6b9ab3b32beffbc1eb23d6ca7cc59616b0722f0dd4f0d893c0a1724f5d7" }, { "id": "", "name": "7463700ec5768d4af6549028465f978059611555aa8e22e2b7c664b1cdbfa9ae" }, { "id": "", "name": "7586e58a569c2a07d0b3a710616f48833a040bf3fc57628bbdec7fcb462d565a" }, { "id": "", "name": "73eaba82ef1c502448e533007e92b1afa879b09f85f28b71648668ea62839ff5" }, { "id": "", "name": "3e52c310c6556367ff9e18448bc41719e603d1cbbdafdcba736c6565529617b6" }, { "id": "", "name": "22a50cea6ad67a7e8582d2cd4cdc3eaaf57c0fbe8cd062a9b15710166e255a86" }, { "id": "", "name": "21fc0f50d545c0a373380934dc61c423c8a31d8c3e6eae4f8a35149ad9962d88" }, { "id": "", "name": "166b6dcdac31f4bf51e4b20a7c3f7d4f7017ca0c30fa123d5591e25c3fa66107" }, { "id": "", "name": "1c88150ec85a07c3db5f18c5eedcb0b653467b897af01d690ed996e5e07ba8e3" }, { "id": "", "name": "0faddbe1713455e3fc9777ec45adf07b28e24f4c3ddca37586c2aa6b539898c0" }, { "id": "", "name": "073b35ecbd1833575fbfb1307654fc532fd938482e09426cfb0541ad87a04f75" }, { "id": "", "name": "07aa971f0791b06dd442d4c7a49c1d3d27a1cbb16602f731e870b5ef50edf69e" }, { "id": "", "name": "c6a3a1ea84251aed908702a1f2a565496d583239c5f467f5dcd0cfc5bfb1a6db" } ], "malware": [ { "id": "legacy:malware:8d945f179a9cca00", "name": "MEGAcmd", "slug": "megacmd" }, { "id": "legacy:malware:15f90b1816640066", "name": "Tailscale", "slug": "tailscale" }, { "id": "legacy:malware:cf485747234772ac", "name": "Rakshasa", "slug": "rakshasa" }, { "id": "f439d770-ca3e-4708-88ff-686a438b2725", "name": "SneakCross", "slug": "sneakcross" }, { "id": "legacy:malware:b615966fbef61d9d", "name": "StealthReacher", "slug": "stealthreacher" }, { "id": "legacy:malware:3bf498e8cb388ff3", "name": "StealthVector", "slug": "stealthvector" }, { "id": "legacy:malware:fb27193ab6e0bb48", "name": "Godzilla", "slug": "godzilla" }, { "id": "ab138766-9b64-4880-87fb-1942a709d778", "name": "Cobalt Strike - S0154", "slug": "cobalt-strike-s0154" } ], "intrusion_sets": [ { "id": "b698d672-773e-499f-a24d-005b856bff10", "name": "Earth Baku", "slug": "earth-baku" } ], "attack_patterns": [ { "id": "eb60c94a-2d33-4605-ab3f-982fac7c223b", "name": "T1022" }, { "id": "3be1a227-bbd0-4e76-9422-40e4078224f9", "name": "T1007" }, { "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7", "name": "T1018" }, { "id": "1f2ce0cc-430c-4317-a332-83a27cbad1d3", "name": "T1548" }, { "id": "fe6f2946-a01e-460c-9636-8c48b45dd0e6", "name": "T1189" }, { "id": "32817170-4c07-427e-b8a5-80a733ae2550", "name": "T1497" }, { "id": "fc699aef-8931-4a79-8f79-9651be9abd50", "name": "T1021" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "09124a92-c11f-4571-b35b-ab0bce6dd081", "name": "T1112" }, { "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5", "name": "T1056" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "others": [ { "id": "", "name": "South Georgia and the South Sandwich Islands" }, { "id": "", "name": "Georgia" }, { "id": "", "name": "Qatar" }, { "id": "", "name": "Italy" }, { "id": "", "name": "Germany" }, { "id": "", "name": "Romania" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Healthcare" }, { "id": "", "name": "Media" }, { "id": "", "name": "Education" }, { "id": "", "name": "Telecommunications" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/66b678f3c0df45d0d4599f59" ] }