<\/p>\n
![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/EarthKasha.png\")
<\/div>\nLODEINFO Since 2023<\/span><\/p>\n In the new campaign starting in early 2023, Earth Kasha expanded their targets into Japan, Taiwan, and India. Based on the bias of the incident amount, while we believe that Japan is still the main target of Earth Kasha, we observed that a few high-profile organizations in Taiwan and India were targeted. The observed industries under attack are organizations related to advanced technology and government agencies.<\/p>\n Earth Kasha has also employed different Tactics, Techniques, and Procedures (TTPs) in the Initial Access phase, which now exploits public-facing applications such as SSL-VPN and file storage services. We observed that vulnerabilities of enterprise products, such as Array AG (CVE-2023-28461)<\/a>, Proself (CVE-2023-45727)<\/a> and FortiOS\/FortiProxy (CVE-2023-27997)<\/a>, were abused in the wild. Earth Kasha was changing these vulnerabilities to abuse from time to time. After gaining access, they deployed several backdoors in the victim’s network to achieve persistence. These include Cobalt Strike, LODEINFO, and the newly discovered NOOPDOOR, which we will describe later.<\/p>\n Our comprehensive analysis of the activities in the Post-Exploitation phase has revealed that the primary motivation behind the attack was the theft of the victim\u2019s information and data. Earth Kasha first discovered Active Directory configuration and domain user information to achieve this goal using legitimate Microsoft tools, such as csvde.exe<\/i>, nltest.exe<\/i> and quser.exe<\/i>. The following are actual commands used by the adversary.<\/p>\n They then accessed the file server and tried to find documents related to the system information of the customer’s network by simply using “dir” commands recursively. Interestingly, upon checking on their activity, the operator might check the content of the documents manually. The stolen information may help the adversary find the next valuable target.<\/p>\n Earth Kasha then performs several techniques to acquire credentials. One method uses their custom malware, MirrorStealer, to dump stored credentials in applications. MirrorStealer (originally reported by ESET<\/a>) is a credential dumper targeting multiple applications such as browsers (Chrome, Firefox, Edge and Internet Explorer), email clients (Outlook, Thunderbird, Becky, and Live Mail), Group Policy Preferences and SQL Server Management Studio.<\/p>\n Since MirrorStealer may be designed to dump credentials on client machines, Earth Kasha used another way to dump OS credentials. We observed that the adversary abused vssadmin<\/i> to copy registry hives and ntds.dit<\/i> in the Active Directory server from volume shadow copy. The SAM registry hive contains the NTLM hash of local machine users, while ntds.dit<\/i> contains the NTLM hash of all the domain users. The following are commands the adversary uses after creating a volume shadow copy.<\/p>\nObserved TTPs in Post-Exploitation<\/span><\/h3>\n
\n