Trend Micro researchers have uncovered that an advanced persistent threat (APT) group known as Earth Kurma is actively targeting government and telecommunications organizations across Southeast Asia. The group employs sophisticated custom malware, kernel-level rootkits, and trusted cloud services to carry out cyberespionage operations. Organizations face potential compromise of sensitive government and telecommunications data, with attackers maintaining prolonged, undetected access to their networks.
Earth Kurma’s campaigns showcase adaptive malware toolsets, strategic exploitation of cloud infrastructure, and advanced evasion techniques designed to bypass security defenses. These hackers leverage cloud storage services for covert data exfiltration, making detection and mitigation significantly more challenging. The campaign poses a severe business risk, driven by targeted espionage, credential theft, the establishment of persistent footholds via rootkits, and the stealthy exfiltration of sensitive data through legitimate cloud platforms.
The Earth Kurma APT group targets government and telecommunications sectors in Southeast Asia, though long-term monitoring shows their activities date back to November 2020, with a primary focus on data exfiltration. The group favors public cloud services such as Dropbox and OneDrive to stealthily transfer stolen data. To achieve their objectives, Earth Kurma employs a variety of customized toolsets, including TESDAT and SIMPOBOXSPY, alongside rootkits like KRNRAT and MORIYA to maintain persistence and evade detection.
Since last June, Trend Micro has observed a surge in Earth Kurma’s operations across multiple countries, including the Philippines, Vietnam, and Malaysia. Their recent campaigns continue to demonstrate a strong emphasis on targeting government entities, utilizing sophisticated rootkits to secure a long-term foothold and conceal malicious activities.
Earth Kurma’s targets likely indicate cyberespionage as the motivation, through Nick Dai and Sunny Lu were unable to confirm the arrival vectors used in the attacks, as Trend Micro’s analysis started years after the victims were first compromised. “Multiple tools were used in the lateral movement stage. Various utilities were used to scan the victims’ infrastructures and deploy malware, including NBTSCAN, LADON, FRPC, WMIHACKER, and ICMPinger. They also deployed a keylogger, KMLOG, to steal credentials from victims.”
Dai and Lu added in a blog post that to survey the victims’ infrastructures, the threat actors used a tool named ICMPinger to scan the hosts. “It is a simple network scanning tool based on the ICMP protocol to test if the specified hosts are still alive. They delete this tool once their operations conclude.”
“They also used another open-source tool called Ladon to inspect the infrastructure,” the post added. “To bypass detection, Ladon is wrapped in a reflective loader compiled by PyInstaller. The XOR keys used to decode the payload differ among all the samples we’ve collected. To move laterally, they also used another open-source tool called WMIHACKER, which could execute commands over port 135 without the need for SMB.”
In the persistence stage, the researchers detailed that the hackers deployed different loaders to maintain their foothold, including DUNLOADER, TESDAT, and DMLOADER. “These loaders are used to load payload files into memory and execute them. These loaders are then used to deploy more malware and exfiltrate data over public cloud services like Dropbox and OneDrive. In some cases, rootkits, including KRNRAT and MORIYA, were implanted by the loaders to bypass the scanning.”
When it comes to the collection and exfiltration stage, Trend Micro observed two customized tools used to exfiltrate specific documents to the attacker’s cloud services, such as Dropbox and OneDrive. “Before exfiltrating the files, several commands executed by the loader TESDAT collected specific document files with the following extensions: .pdf, .doc, .docx, .xls, .xlsx, .ppt, and .pptx. The documents are first placed into a newly created folder named “tmp,” which is then archived using WinRAR with a specific password,” they added.
The research analysis identified weak links to two groups – ToddyCat and Operation TunnelSnake. After a thorough examination, Trend Micro determined that the campaign merited a separate designation, Earth Kurma.
“The APT group ToddyCat was first disclosed in 2022. The ‘tailored loader,’ mentioned in this ToddyCat report, was also found in the same victim machines infected by the TESDAT loaders,” the post added. “However, we did not find any process execution logs between these loaders. Also, they share similar exfiltration PowerShell scripts. The tool SIMPOBOXSPY used by Earth Kurma was also used by ToddyCat before.”
Moreover, both Earth Kurma and ToddyCat have highly targeted the Southeast Asian countries. Reports on ToddyCat indicate that activities started in 2020. The timeline of their activities aligned closely with what Trend Micro observed in Earth Kurma. “However, SIMPOBOXSPY is a simple tool that could be shared among groups, and we did not observe other exclusive tools that can be directly attributed to ToddyCat. Thus, we cannot conclusively link Earth Kurma to ToddyCat.”
“The second potentially related APT group is Operation TunnelSnake, which was also reported in 2021,” the post added. “In the report, they used MORIYA, which uses the same code base as the MORIYA variant we found. Additionally, Operation TunnelSnake targeted countries in Southeast Asia. Nevertheless, we didn’t observe any similarity in the post-exploitation stages.”
Earlier this month, Trend Micro research detailed cyber espionage techniques of Earth Alux, a China-linked APT group, that are putting critical industries at risk. These attacks, aimed at the APAC and Latin American regions, leverage powerful tools and techniques to remain hidden while stealing sensitive data. Left undetected, the attack can maintain a foothold in the system and carry out cyber espionage. The long-term collection and exfiltration of data could lead to far-reaching consequences, such as disrupted operations and financial losses.
