Earth Baxia Attack Detection: China-Backed Hackers Use Spear-Phishing, Exploit the GeoServer Vulnerability (CVE-2024-36401), and Apply a New EAGLEDOOR Malware to Target APAC
Table of contents:
In the first quarter of 2024, state-sponsored APT groups from regions such as China, North Korea, Iran, and russia demonstrated notably sophisticated and innovative adversary methods, creating significant challenges for the global cybersecurity landscape. Recently, a China-linked APT group known as Earth Baxia has targeted a state agency in Taiwan and potentially other countries in the APAC region. Adversaries relied on spear-phishing, exploited a newly patched critical RCE vulnerability in OSGeo GeoServer GeoTools tracked as CVE-2024-36401, and leveraged a novel custom backdoor dubbed EAGLEDOOR.
Detect Earth Baxia Attacks
In 2024, Chinese state-sponsored hackers have surged to the forefront of nation-backed cyber threats. Throughout the first half of the year, cybersecurity researchers uncovered a series of prolonged cyber-espionage and destructive campaigns led by APT40, Velvet Ant, UNC3886, Mustang Panda, and others. These groups are increasingly relying on phishing attacks and CVE exploits to infiltrate targeted networks, posing a growing threat to global cybersecurity.
Yet, the new day, the new menace for cyber defenders. The most recent campaign by China-backed Earth Baxia APT increasingly targets Taiwan and countries in the APAC region using GeoServer flaw (CVE-2024-36401) and EAGLEDOOR malware. To stay ahead of the intrusions and spot malicious activity at the earliest stages of the attack development, security engineers might rely on SOC Prime Platform for collective cyber defense serving a complete product suite for advanced threat detection, automated threat hunting, and AI-powered detection engineering.
SOC Prime Platform aggregates a set of curated detection algorithms accompanied by advanced cybersecurity tooling to streamline threat hunting investigation and enable proactive cyber defense. Hit the Explore Detections button below to explore the list of Sigma rules for Earth Baxia’s latest campaign.Â
The rules are compatible with 30+ SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework. Additionally, detections are enriched with extensive metadata, including threat intel references, attack timelines, and triage recommendations, helping to smooth out threat investigation.
Additionally, to spot the exploitation attempts of the GeoServer vulnerability (CVE-2024-306401), security professionals might refer to a Sigma rule by our keen Threat Bounty developer Emir Erdogan. The rule below helps to spot potential exploitation attempts of the GeoServer unauthenticated remote code execution (CVE-2024-36401) via web server logs. It is compatible with 22 SIEM, EDR, and Data Lake solutions and mapped to MITRE ATT&CK addressing Initial Access tactic, with Exploit Public-Facing Application as a core technique.Â
Eager to join SOC Prime’s crowdsourcing initiative? Skilled cybersecurity practitioners striving to enrich their Detection Engineering and Threat Hunting skills can join the ranks of our Threat Bounty Program to make their own contribution to collective industry expertise. Participation in the Program enables detection content authors to monetize their professional skills while helping build a safer digital future.
Analyzing Earth Baxia Attacks
Trend Micro’s latest research has uncovered an active campaign by the China-backed Earth Baxia APT group, exploiting a recently patched vulnerability in OSGeo GeoServer GeoTools. The campaign primarily targets public sector organizations in Taiwan and other APAC nations. Researchers suggest that government agencies, telecommunications firms, and energy industries in the Philippines, South Korea, Vietnam, Taiwan, and Thailand are likely the main targets, based on the analysis of attack artifacts.
The attack follows a multi-stage infection process, utilizing two distinct methods: spear-phishing emails and the exploitation of the critical GeoServer vulnerability (CVE-2024-36401). This approach ultimately delivers Cobalt Strike and introduces a newly discovered backdoor dubbed EAGLEDOOR, enabling both data exfiltration and further payload deployment.
Additionally, researchers observed that Earth Baxia uses GrimResource and AppDomainManager injection to deliver further payloads, aiming to evade detection. GrimResource, in particular, is employed to download additional malware through a deceptive MSC file named RIPCOY, hidden within a ZIP archive attachment, lowering the victim’s defenses in the process.
Regardless of the infection path, the compromise ultimately results in the deployment of either a custom backdoor dubbed EAGLEDOOR or a rogue installation of the red-team tool Cobalt Strike.
Notably, the group leverages public cloud services to host its malicious files and currently shows no clear ties to other known APT groups. However, some analyses have identified similarities with APT41, also known as Wicked Panda or Brass Typhoon.
The increasing sophistication of the latest campaigns by Chinese APT actors and their capability to smartly evade detection underscores the need for robust defense strategies against APT attacks. By leveraging SOC Prime’s Attack Detective SaaS solution, organizations can gain from real-time data and content audits for comprehensive threat visibility and improved detection coverage, explore high-fidelity detection stack for alerting, and enable automated threat hunting to quickly identify and tackle cyber threats before they escalate.Â