EXECUTIVE SUMMARY:
The Earth Kurma APT campaign is a cyber-espionage operation attributed to a Chinese state-sponsored group. It mainly targets government and telecommunications sectors in Southeast Asia, using spear-phishing emails to gain access. The attackers deploy custom malware, including the ANEL backdoor, to maintain persistent access and gather sensitive information. The use of the ANEL backdoor in this campaign shows the group's ability to adapt and refine its tactics over time.
The attackers use spear-phishing emails with malicious attachments or links to deliver the ANEL backdoor, giving them remote control of infected systems. ANEL uses encryption and obfuscation to avoid detection. The campaign also involves the NOOPDOOR malware, which helps with post-exploitation tasks like capturing screenshots and running commands remotely. This combination of tools shows the group’s ability to evolve and bypass security measures to meet their objectives.
The Earth Kurma APT campaign highlights the risks posed by state-sponsored cyber-espionage to national security, especially in critical infrastructure sectors. Organizations are advised to improve their cybersecurity with better email filtering, security training, and advanced threat detection. Collaboration between global cybersecurity teams is also essential to effectively respond to such threats and reduce the impact of future campaigns.
THREAT PROFILE:
| Tactic | Technique ID | Technique |
| Initial Access | T1566 | Phishing |
| Execution | T1203 | Exploitation for Client Execution |
| Persistence | T1543 | Create or Modify System Process |
| Privilege Escalation | T1055 | Process Injection |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1083 | File and Directory Discovery |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1499 | Endpoint Denial of Service |
REFERENCES:
The following reports contain further technical details: