Guess Who\u2019s Back – The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024 | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/k\/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\"><br \/>\n<meta property=\"og:title\" content=\"Guess Who\u2019s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024\"><br \/>\n<meta property=\"og:description\" content=\"Trend Micro has identified a spear-phishing campaign active in Japan since June 2024. Evidence about the malware used by this campaign suggests this was part of a new operation by Earth Kasha.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/ANELthumbnail.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Guess Who\u2019s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024\"><br \/>\n<meta name=\"twitter:description\" content=\"Trend Micro has identified a spear-phishing campaign active in Japan since June 2024. Evidence about the malware used by this campaign suggests this was part of a new operation by Earth Kasha.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/ANELthumbnail.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.046023885814\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"191569457\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"7.8172588832487\">\n<div class=\"article-details\" role=\"heading\" readability=\"35.177664974619\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">APT & Targeted Attacks<\/p>\n<p class=\"article-details__description\">Trend Micro has identified a spear-phishing campaign active in Japan since June 2024. Evidence about the malware used by this campaign suggests this was part of a new operation by Earth Kasha.<\/p>\n<p class=\"article-details__author-by\">By: Hara Hiroaki <time class=\"article-details__date\">November 26, 2024<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div>\n<div class=\"richText\" readability=\"40.174008810573\">\n<div readability=\"31.786028949025\">\n<p>This blog is a part of a blog series about Earth Kasha. Kindly refer to our blog about the previous campaigns, where we discussed the tactics and targets of Earth Kasha in detail, read <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/k\/lodeinfo-campaign-of-earth-kasha.html\">here<\/a> for a deeper understanding,<\/p>\n<h2><span class=\"body-subhead-title\">Introduction<\/span><\/h2>\n<p>According to research by Trend Micro, a new spear-phishing campaign targeting individuals and organizations in Japan has been underway since around June 2024. An interesting aspect of this campaign is the comeback of a backdoor dubbed ANEL, which was used in <a href=\"https:\/\/blog.trendmicro.co.jp\/archives\/17280\">campaigns targeting Japan by APT10 until around 2018 and had not been observed since then<\/a>. Additionally, NOOPDOOR, known to be used by Earth Kasha, has been confirmed to be used in the same campaign. Based on these findings, we assess this campaign as part of a new operation by Earth Kasha.<\/p>\n<h2><span class=\"body-subhead-title\">Campaign Details<\/span><\/h2>\n<p>The campaign, observed around June 2024 and attributed to Earth Kasha, employed spear-phishing emails for Initial Access. Specific targets include individuals affiliated with political organizations, research institutions, think tanks, and organizations related to international relations. In 2023, <a href=\"https:\/\/jsac.jpcert.or.jp\/archive\/2024\/pdf\/JSAC2024_2_7_hara_shoji_higashi_vickie-su_nick-dai_en.pdf\" target=\"_blank\" rel=\"noopener\">Earth Kasha primarily attempted to exploit vulnerabilities against edge devices for intrusion<\/a> but this new campaign reveals that they have once again changed their TTPs. This shift appears to be driven by a target change, moving from enterprises to individuals. Additionally, an analysis of the victim profiles and the names of the distributed lure files suggests that the adversaries are particularly interested in topics related to Japan\u2019s national security and international relations.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/1.png\" alt=\"Brief timeline of Earth Kasha\u2019s campaigns\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. Brief timeline of Earth Kasha\u2019s campaigns<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"40\">\n<div readability=\"25\">\n<p>The spear-phishing emails used in this campaign were sent either from free email accounts or from compromised accounts. The emails contained a URL link to a OneDrive. They included a message in Japanese encouraging the recipient to download a ZIP file. Here are some potential email subjects that were observed, likely crafted to attract the interest of the targeted recipients:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">\u53d6\u6750\u7533\u8acb\u66f8 (Interview Request Form)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\u7c73\u4e2d\u306e\u73fe\u72b6\u304b\u3089\u8003\u3048\u308b\u65e5\u672c\u306e\u7d4c\u6e08\u5b89\u5168\u4fdd\u969c (Japan’s Economic Security in Light of Current US-China Relations)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">[\u5b98\u516c\u5e81\u30fb\u516c\u7684\u6a5f\u95a2\u4e00\u89a7] ([List of Government and Public Institutions])<\/span><\/li>\n<\/ul>\n<p>The files in the ZIP file, which works as the infection vector, vary depending on the period and the target.<\/p>\n<h3><span class=\"body-subhead-title\">Case 1: Macro-Enabled Document<\/span><\/h3>\n<p>The simplest case involves a document with embedded macros. The infection begins when the document is opened and the user enables the macros. This document file is a malicious dropper that we have named ROAMINGMOUSE. As explained later, ROAMINGMOUSE can extract and execute embedded ANEL-related components (a legitimate EXE, ANELLDR, and encrypted ANEL). Two patterns are observed in this process: one involves dropping a ZIP file and then extracting it, while the other consists of directly dropping the components.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/2.png\" alt=\"Execution flow of Case 1\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 2. Execution flow of Case 1<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<h3><span class=\"body-subhead-title\">Case 2: Shortcut + SFX + Macro-Enabled Template Document<\/span><\/h3>\n<p>In other cases, the ZIP file did not directly contain ROAMINGMOUSE. Instead, it included a shortcut file and an SFX (self-extracting) file disguised as a document by changing its icon and extension.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/3.png\" alt=\"Execution flow of Case 2\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. Execution flow of Case 2<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>When the shortcut file is opened, it executes the SFX file in the same directory disguised as a .docx file.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/4.png\" alt=\"Shortcut file to execute another file\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 4. Shortcut file to execute another file<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>The SFX file places two document files into the %APPDATA%\\Microsoft\\Templates folder. One of these files is a harmless decoy document, while the other, named “normal_.dotm,” contains a macro called ROAMINGMOUSE. When the decoy document is opened, ROAMINGMOUSE is automatically loaded as a Word Template file. The behavior of ROAMINGMOUSE after execution is identical to that observed in Case 1.<\/p>\n<h3><span class=\"body-subhead-title\">Case 3: Shortcut + CAB + Macro-Enabled Template Document<\/span><\/h3>\n<p>A similar case to Case 2 has also been observed, where the shortcut file executes PowerShell, which then drops an embedded CAB file.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/5.png\" alt=\"Execution flow of Case 3\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 5. Execution flow of Case 3<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The shortcut file contained a PowerShell one-liner in this case, as shown in the figure below. This script dropped and extracted a CAB file embedded at a specific offset within the shortcut file and executed a decoy file. The decoy file then automatically loaded ROAMINGMOUSE as a template file, following the same process as in Case 2.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/6.png\" alt=\"PowerShell oneliner in the shortcut file\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 6. PowerShell oneliner in the shortcut file<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/7.png\" alt=\"CAB file embedded in the shortcut file\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 7. CAB file embedded in the shortcut file<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<h2><span class=\"body-subhead-title\">Malware on Initial Access<\/span><\/h2>\n<p><b>ROAMINGMOUSE<\/b><\/p>\n<p>The macro-enabled document we created for initial access in this campaign is called “ROAMINGMOUSE.” This document acts as a dropper for components related to ANEL. The primary role of ROAMINGMOUSE is to execute the subsequent ANEL payload while minimizing the chances of detection. To achieve this, it implements various evasion techniques.<\/p>\n<p><b>(Basic) Sandbox Evasion<\/b><\/p>\n<p>The ROAMINGMOUSE variant introduced in Case 1 requires the user to enable macros. This variant includes a feature that initiates malicious activity based on specific mouse movements made by the user. This functionality is achieved by implementing a function that responds to the “MouseMove” event, triggered when the mouse hovers over a user form embedded within the document.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/8.png\" alt=\"Malicious routine will be triggered when moving a mouse properly.\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 8. Malicious routine will be triggered when moving a mouse properly.<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"38.5\">\n<div readability=\"22\">\n<p>This feature ensures that malicious activities do not begin unless specific user interactions occur, which is likely implemented as a sandbox evasion technique. However, it should be noted that many commercial and open-source sandboxes have addressed such sandbox evasion techniques in recent years, making them less effective.<\/p>\n<p><b>Custom Base64-encoded Payloads<\/b><\/p>\n<p>The classification of this as an evasion technique is up for debate; however, it is undeniably one of the distinctive functions of ROAMINGMOUSE. This technique was employed in Pattern 1 of Case 1. ROAMINGMOUSE embeds the ZIP file containing the ANEL-related components by encoding it in Base64 and splitting it into three parts, with one part encoded using a custom Base64 encoding table. The files within the ZIP file are then extracted to a specific path.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/9.png\" alt=\"Partially custom Base64-encoded data embedded in ROAMINGMOUSE\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 9. Partially custom Base64-encoded data embedded in ROAMINGMOUSE<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>This technique may slow down analysis, but it may also be an evasion technique against modern tools that automatically decode Base64 embedded in VBA. Such tools have become more common recently, making this a potential countermeasure.<\/p>\n<p><b>HEX-encoded Payloads<\/b><\/p>\n<p>In some instances, such as in Case 1 and PATTERN 2, we observed cases where the ANEL-related components were directly dropped without being processed through a Base64-encoded ZIP file. Each component was embedded in the VBA code as HEX-encoded strings in these cases.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/10.png\" alt=\"HEX-encoded payloads embedded in ROAMINGMOUSE\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 10. HEX-encoded payloads embedded in ROAMINGMOUSE<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><b>Execution Through WMI<\/b><\/p>\n<p>The dropped files include the following ANEL-related components:<\/p>\n<ol>\n<li><b>ScnCfg32.Exe<\/b>: A legitimate application that loads the DLL in the same directory via DLL sideloading.<\/li>\n<li><b>vsodscpl.dll<\/b>: The ANELLDR loader.<\/li>\n<li><b><RANDOM><\/b>: The encrypted ANEL.<\/li>\n<\/ol>\n<p>ROAMINGMOUSE executes ANEL by running the legitimate application “ScnCfg32.exe,” which loads the malicious DLL “vsodscpl.dll” through DLL sideloading. It uses WMI to execute “explorer.exe” with “ScnCfg32.Exe” as an argument during this process.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/11.png\" alt=\"Program execution through WMI\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 11. Program execution through WMI<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.517391304348\">\n<div readability=\"18.009937888199\">\n<p>This approach aims to avoid detection by security products, which are more likely to flag processes like “cmd.exe” when executed directly from a document file, such as a Word document. By bypassing “cmd.exe” and running the program through WMI, they attempt to evade these detection mechanisms.<\/p>\n<p><b>ANELLDR<\/b><\/p>\n<p>We have been tracking the unique loader used to execute ANEL in memory, which we have named ANELLDR. ANELLDR has been observed as early as 2018. In terms of its functionality, the version used in this campaign is identical to the one used in 2018. Beyond its core functionality, <a href=\"https:\/\/www.virusbulletin.com\/virusbulletin\/2020\/03\/vb2019-paper-defeating-apt10-compiler-level-obfuscations\/\" target=\"_blank\" rel=\"noopener\">ANELLDR is known for using anti-analysis techniques such as junk code insertion, Control Flow Flattening (CFF), and Mixed Boolean Arithmetic (MBA)<\/a>. The ANELLDR observed in this campaign also implemented the same techniques.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/12.png\" alt=\"Repeatedly inserted junk codes\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 12. Repeatedly inserted junk codes<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/13.png\" alt=\"Obfuscated function by CFF\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 13. Obfuscated function by CFF<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/14.png\" alt=\"Simple XOR instruction converted into complex instructions by MBA.\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 14. Simple XOR instruction converted into complex instructions by MBA.<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"44.5\">\n<div readability=\"34\">\n<p>Although there is some publicly available information about ANELLDR, a thorough description of its behavior still needs to be provided. We will give a detailed explanation of the loader’s functionality.<\/p>\n<p>ANELLDR is activated via DLL sideloading from a legitimate application to begin its malicious activities. Once executed, it enumerates files in the current directory to search for encrypted payload files. Notably, the decryption logic of ANELLDR differs between the initial and subsequent executions.<\/p>\n<p>During the initial execution, ANELLDR calculates the Adler-32 checksum for the last four bytes of the target file, as well as the data up to file size minus 0x34 bytes (where 0x34 bytes accounts for the 0x30 bytes of AES material and 0x4 bytes of checksum, explained later). It then compares the checksum to check whether the target file is the expected encrypted file. If a directory exists at the same level, it recursively processes the files within that directory.<\/p>\n<p>Once the file passed verification, the decryption process begins. For this, the last 0x30 bytes of the file are divided into two parts: the first 0x20 bytes are used as the AES key, while the remaining 0x10 bytes are used as the AES IV. ANELLDR then decrypts the encrypted data (up to the file size minus 0x34 bytes) using AES-256-CBC and executes the payload in memory.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/15.png\" alt=\"Execution flow of ANELLDR\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 15. Execution flow of ANELLDR<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>Once ANELLDR successfully decrypts the encrypted payload, it updates the key and IV, re-encrypts the payload using AES-256-CBC, and overwrites the original encrypted payload file with the newly encrypted data. The AES key and IV used in this process are generated based on the file path of the executing file and a hardcoded string. This involves utilizing a custom Base64 encoding, the Blowfish encryption algorithm, and XOR operations, which ensures that the key and IV are unique to the running environment. Since the AES key and IV used for encryption are not embedded in the file, you must know the exact file path where the payload was initially stored to decrypt an encrypted payload file obtained from an infected environment.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/16.png\" alt=\"File structure of the re-encrypted payload blob\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 16. File structure of the re-encrypted payload blob<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34.425339366516\">\n<div readability=\"16.25641025641\">\n<p><b>The 2nd-stage shellcode<\/b><\/p>\n<p>The decrypted data is shellcode-formed and executed in memory. This 2nd-stage shellcode is responsible for loading and executing the final payload, a DLL, in memory. First, the 2nd-stage shellcode attempts to evade being debugged by calling ZwSetInformationThread API with the second argument set to <a href=\"https:\/\/anti-debug.checkpoint.com\/techniques\/interactive.html#ntsetinformationthread\" target=\"_blank\" rel=\"noopener\">ThreadHideFromDebugger (0x11)<\/a>. Next, it retrieves the address of the encrypted data. To do this, it calls a unique function filled with NOP instructions to obtain the current address in memory. After obtaining this address, it calculates the location of the encrypted payload-related data, which is located immediately after this function.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/17.png\" alt=\"Unique function filled with NOP instructions\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 17. Unique function filled with NOP instructions<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>The encrypted data section is structured in the following format:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/18.png\" alt=\"Structure of the encrypted data section\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 18. Structure of the encrypted data section<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>ANELLDR decodes the subsequent encrypted data using a 16-byte XOR key. A distinctive feature of this process is that each byte of the encrypted data is XORed with the entire 16-byte key. In other words, the algorithm applies XOR to each data byte 16 times, using a different key byte for each operation.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/19.png\" alt=\"Unique algorithm using XOR 16-times\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 19. Unique algorithm using XOR 16-times<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"47\">\n<div class=\"responsive-table-wrap\" readability=\"39\">\n<p>After the XOR operation, the data is decompressed using the Lempel\u2013Ziv\u2013Oberhumer (LZO) data compression algorithm. Additionally, the first 4 bytes and the Adler-32 checksum of the payload DLL are calculated and compared to verify if the data has been correctly decoded and decompressed. If the integrity check passes, the DLL is dynamically initialized in memory, and the hardcoded export function is called to execute the payload.<\/p>\n<p><b>ANEL<\/b><\/p>\n<p>ANEL is a 32-bit HTTP-based backdoor that has been observed since around 2017 and was known as one of the primary backdoors used by APT10 until around 2018. ANEL was actively developed during that time, and the last version publicly observed in 2018 was \u201c5.5.0 rev1.\u201d However, through this new campaign in 2024, versions \u201c5.5.4 rev1,\u201d \u201c5.5.5 rev1,\u201d \u201c5.5.6 rev1,\u201d and \u201c5.5.7 rev1\u201d have been observed, along with a newly identified version where the version information has been obfuscated.<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<tbody readability=\"8\">\n<tr>\n<td width=\"89\" valign=\"top\">\n<p><b> <\/b><\/p>\n<\/td>\n<td width=\"77\" valign=\"top\">\n<p><b>5.5.0 rev1<\/b><\/p>\n<\/td>\n<td width=\"78\" valign=\"top\">\n<p><b>5.5.4 rev1<\/b><\/p>\n<\/td>\n<td width=\"74\" valign=\"top\">\n<p><b>5.5.5 rev1<\/b><\/p>\n<\/td>\n<td width=\"81\" valign=\"top\">\n<p><b>5.5.6 rev1<\/b><\/p>\n<\/td>\n<td width=\"93\" valign=\"top\">\n<p><b>5.5.7 rev1<\/b><\/p>\n<\/td>\n<td width=\"96\" valign=\"top\">\n<p><b>unknown<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>C&C Comm Encryption (GET)<\/td>\n<td colspan=\"6\">Custom ChaCha20 + random-byte XOR + Base64<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>C&C Comm Encryption (POST)<\/td>\n<td colspan=\"6\">Custom ChaCha20 + LZO<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>ChaCha20 Key Generation<\/td>\n<td colspan=\"6\">Selected from the hardcoded key based on the C&C URL<\/td>\n<\/tr>\n<tr readability=\"8\">\n<td>\n<p><span>Backdoor Command<\/span><\/p>\n<\/td>\n<td colspan=\"3\">\n<ul>\n<li><span class=\"rte-red-bullet\">0x97A168D9697D40DD (download)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">0x7CF812296CCC68D5 (upload)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">0x652CB1CEFF1C0A00 (in-memory PE exec)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">0x27595F1F74B55278 (download and exec)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">0xD290626C85FB1CE3 (sleep)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">0x409C7A89CFF0A727 (get screenshot)<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><span>Else: execute comman<\/span>d<\/span><\/li>\n<\/ul>\n<\/td>\n<td colspan=\"3\">\n<ul>\n<li><span class=\"rte-red-bullet\">0x97A168D9697D40DD (download)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">0x7CF812296CCC68D5 (upload)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">0x652CB1CEFF1C0A00 (in-memory PE exec)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">0x27595F1F74B55278 (download and exec)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">0xD290626C85FB1CE3 (sleep)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">0x409C7A89CFF0A727 (get screenshot)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">0x596813980E83DAE6 (UAC bypass)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Else: execute command<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>From here, we’ll take a closer look at the specific updates and changes in each version.<\/p>\n<p><b>5.5.4 rev1<\/b><\/p>\n<p>This version of ANEL did not introduce any major changes, but a few minor fixes and updates were implemented. One notable change was the removal of the feature that stored an error code in the HTTP Cookie header and sent it to the C&C server, which had been present up to version \u201c5.5.0 rev1.\u201d This feature was previously identified as a detection point for ANEL, so its removal might have been intended to evade detection. Another update involved the version information sent to the C&C server. It now includes information about the OS architecture of the execution environment. Although ANEL is a 32-bit application, when running on a 64-bit OS, the string \u201cwow64\u201d is appended to the version information before being sent to the C&C server.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/20.png\" alt=\"OS architecture included\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 20. OS architecture included<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p><b>5.5.5 rev1<\/b><\/p>\n<p>Version \u201c5.5.5 rev1\u201d did not include significant changes either. One notable update was the addition of code to renew the local IP address during the initial access to the C&C server.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/21.png\" alt=\"Renew the local IP address by Windows API.\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 21. Renew the local IP address by Windows API.<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p><b>5.5.6 rev1 \/ 5.5.7 rev1<\/b><\/p>\n<p>In version \u201c5.5.6 rev1,\u201d a new backdoor command was added. ANEL processes the command string received from the C&C server by converting it to uppercase and hashing it with xxHash, then comparing it to a hardcoded hash value to determine the command. In this version, a new command corresponding to the hash value \u201c0x596813980E83DAE6\u201d was implemented.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/22.png\" alt=\"New backdoor command introduced in 5.5.6 rev1\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 22. New backdoor command introduced in 5.5.6 rev1<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>This command provides the functionality to execute a specified program with elevated privileges (Integrity High) by abusing the CMSTPLUA COM interface, a known UAC bypass technique.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/23.png\" alt=\"Abusing CMSTPLUA COM interface\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 23. Abusing CMSTPLUA COM interface<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>On the other hand, in \u201c5.5.7 rev1\u201d, no additional notable functionality was observed.<\/p>\n<p><b>Unknown version<\/b><\/p>\n<p>After observing version \u201c5.5.7 rev1,\u201d an ANEL variant was detected with obfuscated version information. In this instance, the version information field contained a Base64-encoded string, which resulted in the data \u201cA1 5E 99 00 E7 DE 2B F5 AD A1 E8 D1 55 D5 0A 22\u201d after decoding. This data was concatenated with \u201cwow64\u201d and sent to the C&C server. This change has made it more difficult to track versions and compare functionality.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/24.png\" alt=\"Encrypted version information\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 24. Encrypted version information<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"41.5\">\n<div readability=\"28\">\n<h2><span class=\"body-subhead-title\">Post-Exploitation Activities<\/span><\/h2>\n<p>Tracking the adversary\u2019s activities after installing ANEL revealed that they collected information from the infected environment, such as taking screenshots and executing commands like arp and dir to gather network and file system details. In some cases, additional malware, specifically NOOPDOOR, was also installed.<\/p>\n<p>NOOPDOOR, observed since at least 2021, is a modular backdoor with more advanced capabilities. It appears to work as a further payload Earth Kasha uses, particularly for high-value targets. In this campaign, we believe NOOPDOOR was deployed against targets of special interest to the adversary.<\/p>\n<h2><span class=\"body-subhead-title\">Attribution and Insights<\/span><\/h2>\n<p>Based on the analysis of the ongoing campaign, Trend Micro assesses that the spear-phishing campaign using ANEL, observed since June 2024, is part of a new operation conducted by Earth Kasha.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/25.png\" alt=\"Diamond Model of the new campaign in 2024\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 25. Diamond Model of the new campaign in 2024<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>The attribution to Earth Kasha is based on the following reasons:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Until early 2023, Earth Kasha had been conducting campaigns targeting individuals and organizations in Japan via spear-phishing emails as the primary intrusion vector. There are no significant inconsistencies in terms of TTPs or victim profiles.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">NOOPDOOR, believed to be used exclusively by Earth Kasha, was also deployed in this campaign.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">As previously mentioned, there are code similarities between ANELLDR and NOOPDOOR, suggesting the involvement of the same developer or someone with access to both source codes. Therefore, the reuse of ANEL in this campaign is unsurprising and further supports the connection between the former APT10 and the current Earth Kasha.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"42.806461173681\">\n<div readability=\"34.981624184944\">\n<h2><span class=\"body-subhead-title\">Trend Micro Vision One Threat Intelligence<\/span><\/h2>\n<p>To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can proactively protect their environments, mitigate risks, and respond effectively to threats.<\/p>\n<p><b>Trend Micro Vision One Intelligence Reports App [IOC Sweeping]<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Guess Who\u2019s Back? The Return of ANEL in the Recent Spear-phishing Campaign by Earth Kasha in 2024<\/span><\/li>\n<\/ul>\n<p><b>Trend Micro Vision One Threat Insights App<\/b><\/p>\n<h2><span class=\"body-subhead-title\">Hunting Queries<\/span><\/h2>\n<p><b>Trend Micro Vision One Search App<\/b><\/p>\n<p>Trend Micro Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.\u202f\u202f\u202f<\/p>\n<p><i>Malware detection associated with the spear-phishing campaign by Earth Kasha<\/i><\/p>\n<p><span class=\"blockquote\">(malName:*ANEL* OR malName:*ROAMINGMOUSE*) AND eventName: MALWARE_DETECTION<\/span><\/p>\n<p><i>Malicious IPs used by ANEL in spear-phishing campaign 2024<\/i><\/p>\n<p><span class=\"blockquote\">eventId:3 AND (dst:”139.84.131.62″ OR dst:”139.84.136.105″ OR dst:”45.32.116.146″ OR dst:”45.77.252.85″ OR dst:”208.85.18.4″ OR src:”139.84.131.62″ OR src:”139.84.136.105″ OR src:”45.32.116.146″ OR src:”45.77.252.85″ OR src:”208.85.18.4″)<\/span><\/p>\n<p>More hunting queries are available for Vision One customers with\u202f<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform\/threat-insights.html\" title=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform\/threat-insights.html\">Threat Insights Entitlement enabled<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.6\">\n<div readability=\"20.778947368421\">\n<h2><span class=\"body-subhead-title\">YARA rule<\/span><\/h2>\n<p>This YARA <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/k\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign-in-2024\/earthkasha_allinone.yara\">rule<\/a> may be used to find Earth Kasha activity.<\/p>\n<h2><span class=\"body-subhead-title\">Conclusion<\/span><\/h2>\n<p>Earth Kasha’s campaigns are expected to continue evolving, with updates to their tools and TTPs. Many of the targets are individuals, such as researchers, who may have different levels of security measures in place compared to enterprise organizations, making these attacks more difficult to detect. It is essential to maintain basic countermeasures, such as avoiding opening files attached to suspicious emails. Additionally, it is important to gather threat intelligence and ensure that relevant parties are informed. As this campaign is believed to be ongoing as of October 2024, continued vigilance is necessary.<\/p>\n<h2><span class=\"body-subhead-title\">Indicators of Compromise<\/span><\/h2>\n<p>The full list of IoCs may be found <a href=\"https:\/\/documents.trendmicro.com\/assets\/txt\/anel_iocsmTolkKh.txt\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/k\/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trend Micro has identified a spear-phishing campaign active in Japan since June 2024. Evidence about the malware used by this campaign suggests this was part of a new operation by Earth Kasha. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510,9508,9509],"class_list":["post-57757","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-research"],"yoast_head":"\n<title>Guess Who\u2019s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Guess Who\u2019s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-11-26T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/ANELthumbnail:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Guess Who\u2019s Back – The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024\",\"datePublished\":\"2024-11-26T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\\\/\"},\"wordCount\":3091,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/ANELthumbnail:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : APT&Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\\\/\",\"name\":\"Guess Who\u2019s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/ANELthumbnail:Large?qlt=80\",\"datePublished\":\"2024-11-26T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/ANELthumbnail:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/ANELthumbnail:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&Targeted Attacks\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-apttargeted-attacks\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Guess Who\u2019s Back – The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Guess Who\u2019s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/","og_locale":"en_US","og_type":"article","og_title":"Guess Who\u2019s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-11-26T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/ANELthumbnail:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Guess Who\u2019s Back – The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024","datePublished":"2024-11-26T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/"},"wordCount":3091,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/ANELthumbnail:Large?qlt=80","keywords":["Trend Micro Research : APT&Targeted Attacks","Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/","url":"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/","name":"Guess Who\u2019s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/ANELthumbnail:Large?qlt=80","datePublished":"2024-11-26T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/ANELthumbnail:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/ANELthumbnail:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"Guess Who\u2019s Back – The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57757","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57757"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57757\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":57757,"date":"2024-11-26T00:00:00","date_gmt":"2024-11-26T00:00:00","guid":{"rendered":"urn:uuid:6f3236a8-4564-87c2-9860-6db0873c7b5c"},"modified":"2024-11-26T00:00:00","modified_gmt":"2024-11-26T00:00:00","slug":"guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/guess-whos-back-the-return-of-anel-in-the-recent-earth-kasha-spear-phishing-campaign-in-2024\/","title":{"rendered":"Guess Who\u2019s Back – The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024"},"content":{"rendered":"