Since June 2024, a new advanced persistent threat (APT) group known as Earth Kurma has been conducting a series of targeted attacks on the government and telecommunications sectors across Southeast Asia. According to Trend Micro, the group’s operations have involved custom malware, rootkits, and cloud storage services to exfiltrate sensitive data.
The Philippines, Vietnam, Thailand, and Malaysia have been among the primary targets of the campaign, which is described as highly sophisticated and dangerous due to its reliance on persistent footholds and advanced espionage tactics.
Earth Kurma’s campaign has raised alarms due to its ability to exploit trusted cloud platforms like Dropbox and Microsoft OneDrive for data exfiltration. Trend Micro researchers Nick Dai and Sunny Lu have highlighted the high business risk posed by this campaign, which includes:
- Credential theft
- Rootkit deployment at kernel-level
- Targeted espionage
- Data exfiltration
The group’s operations can be traced back to November 2020, with TESDAT and SIMPOBOXSPY being key tools used for data theft. Additionally, Earth Kurma has used rootkits such as KRNRAT and Moriya, the latter previously linked to espionage campaigns targeting high-profile organizations in Asia and Africa under the TunnelSnake operation.
Earth Kurma Toolset and Techniques
While the group’s exact methods of gaining initial access remain unclear, once they establish a foothold, Earth Kurma employs a variety of tools for lateral movement and escalation. These include NBTSCAN, Ladon, FRPC, WMIHACKER, and ICMPinger, alongside a keylogger known as KMLOG to collect credentials.
The group’s use of living-off-the-land (LotL) techniques sets it apart from other threat actors. By leveraging legitimate system tools, such as syssetup.dll, to install rootkits, Earth Kurma reduces the risk of detection by avoiding easily identifiable malware.
- Moriya monitors TCP packets for malicious payloads and injects shellcode into the svchost.exe process.
- KRNRAT, a hybrid of five open-source projects, has capabilities like process manipulation, file hiding, shellcode execution, and C2 communication.
Before exfiltrating data, the group’s loader tool, TESDAT, collects specific document types, including PDFs, Word files, Excel spreadsheets, and PowerPoint presentations. These files are stored in a “tmp” folder, compressed using WinRAR, and password-protected. Earth Kurma then uses SIMPOBOXSPY and ODRIZ to upload the data to cloud services such as Dropbox and OneDrive using specific access tokens.
Trend Micro’s analysis reveals that SIMPOBOXSPY uploads the RAR archive to Dropbox, while ODRIZ performs similar tasks for OneDrive. These tools make the exfiltration process more efficient and difficult to detect.
Ongoing Threat and Potential Adaptability
Trend Micro confirmed that Earth Kurma remains highly active and continues to target nations across Southeast Asia. Their ability to adapt to victim environments and maintain a stealthy presence has made them a significant threat. The group is capable of customizing their toolsets and even reusing code from previous attacks, sometimes leveraging the victim’s own infrastructure for their objectives.
Earth Kurma’s evolving tactics and tools make them a formidable adversary in the region. Organizations in Southeast Asia, especially those in government and telecommunications sectors, need to remain vigilant against these sophisticated APT attacks. As the group continues to refine its approach, the threat of espionage and data theft remains high.
