Excerpt from The Hacker News Article, Published on Sep 23, 2024.
Chinese hackers, identified as the Earth Baxia group, have been exploiting a critical vulnerability in GeoServer (CVE-2024-36401, CVSS score: 9.8) to target multiple countries across the Asia-Pacific (APAC) region, including Taiwan, South Korea, Vietnam, Thailand, and the Philippines. The attacks, first detected in July 2024 by Trend Micro, involve the deployment of EAGLEDOOR Malware through spear-phishing emails and exploiting the GeoServer flaw.
EAGLEDOOR Malware is a sophisticated backdoor designed for data collection and payload delivery. It communicates with command-and-control (C2) servers using multiple protocols, including DNS, HTTP, TCP, and Telegram, making it highly adaptable for various types of cyber operations. The threat actor behind these attacks leverages techniques such as AppDomainManager injection and GrimResource to deliver additional malware, using decoy files to evade detection. A key part of the campaign is the use of Cobalt Strike, a common tool in advanced cyber espionage.
The malware has been particularly focused on government agencies, telecommunication companies, and energy sectors in APAC countries. Notably, the hackers used command-and-control domains mimicking major cloud services like Amazon Web Services and Microsoft Azure, indicating the complexity of the operation. Researchers also noted a resemblance between this campaign and others linked to the notorious APT41 group, suggesting the potential involvement of multiple threat actors.
This ongoing cyber campaign underscores the growing threat posed by state-sponsored hacking groups in the region, with the end goal of exfiltrating sensitive information. The use of EAGLEDOOR Malware highlights the increasing sophistication of attacks targeting critical sectors, with Chinese APTs continuing to evolve their methods to bypass detection and exploit vulnerabilities in widely used software platforms.
