The threat actors employ advanced custom malware, kernel-level rootkits, and abuse trusted cloud storage services like Dropbox and OneDrive for data exfiltration. Earth Kurma demonstrates adaptive toolsets and complex evasion techniques to maintain persistent, undetected access. Countries impacted include the Philippines, Vietnam, Thailand, Malaysia, and other Asia countries. The campaign poses significant business risks, including espionage, credential theft, and compromise of sensitive data.

Initial Access and Infection Workflow:

The exact initial access vectors remain unidentified, as analysis commenced several years after the earliest compromises. Earth Kurma employs a multi-stage infection chain that leverages various tools for reconnaissance and lateral movement, including NBTSCAN, LADON, FRPC, WMIHACKER, and ICMPinger. ICMPinger, a lightweight ICMP-based host discovery tool, is used to identify active systems and is promptly deleted after execution to reduce forensic traces. LADON, an open-source scanner, is delivered via a PyInstaller-packed reflective loader that uses unique XOR keys to evade detection while probing the network. WMIHACKER enables remote command execution over port 135, eliminating reliance on SMB, whereas traditional SMB-based commands like net use are utilized for malware deployment and network enumeration.

Lateral Propagation and Credential Theft:

Earth Kurma achieves lateral movement using a mix of open-source and custom tools. NBTSCAN and WMIHACKER facilitate network traversal, while a custom keylogger, KMLOG, captures credentials by logging keystrokes to %AppData%\Roaming\Microsoft\Windows\Libraries\infokey.zip. This file is masked with a fake ZIP (PK) header and employs XOR 0xDB encryption to obfuscate window titles, timestamps, and keystrokes. Malicious DLLs like vdmsc.dll are copied via SMB commands, and persistence is maintained by creating services such as “katech.” Tools like ICMPinger and LADON blend in with legitimate activity, while FRPC enables remote access, allowing stealthy movement across the victim network.

Persistent Access Through In-Memory Loaders:

It ensures persistence through in-memory loaders like DUNLOADER, TESDAT, and DMLOADER to evade disk-based detection. DUNLOADER loads payloads via rundll32.exe, while TESDAT uses SwitchToFiber to execute .dat files stealthily. DMLOADER decodes payloads in memory with functions like DoMain, and all loaders are hidden in user directories with randomized, legitimate-looking filenames to enhance stealth.

MORIYA and KRNRAT Rootkit Techniques:

It deploys rootkits MORIYA and KRNRAT to gain kernel-level control over compromised systems. MORIYA intercepts TCP traffic, concealing malicious payloads within TCP packets by checking six magic bytes through IOCTL code 0x222004. It injects AES-decrypted payloads from \SystemRoot\system32\drivers\{driver_name}.dat into svchost.exe using syscall enumeration to evade detection. KRNRAT, a flexible backdoor derived from open-source projects (e.g., Blackbone, Cronos-Rootkit), utilizes various IOCTL codes for process termination, file hiding, and network obfuscation. Its internal name is revealed through the PDB string N:\project\li\ThreeTools\KrnRat\code\x64\Debug\SmartFilter.pdb. The KRNRAT user-mode agent, a memory-resident stager, communicates with command-and-control servers while concealing processes and connections via additional IOCTL codes.

Document Collection and Exfiltration Strategies:

It exfiltrates specific document formats (.pdf, .doc, .xls, .ppt) using TESDAT, which collects files into a “tmp” folder. These files are archived with WinRAR, password-protected, and named after the host. SIMPOBOXSPY uploads the archives to Dropbox using access tokens, creating timestamped folders with extensions like “.z” or “.7z.” ODRIZ, an older tool, uploads files to OneDrive via refresh tokens. Exfiltrated archives are moved to the AD sysvol folder, leveraging DFSR to sync across domain controllers, enabling data extraction via any compromised server. PowerShell scripts optimize file collection by filtering those modified in the last 30 days.

Overlapping Tools and Attribution Difficulties:

Earth Kurma’s toolset shows similarities to those used in ToddyCat and Operation TunnelSnake campaigns. For example, SIMPOBOXSPY and its exfiltration scripts align with ToddyCat’s tools, while MORIYA shares similarities with a variant from Operation TunnelSnake. However, differences in attack patterns and the lack of unique tools make definitive attribution difficult. The generic nature of SIMPOBOXSPY hints at potential tool-sharing across APT groups, and the customized loader used in ToddyCat campaigns lacks execution logs linking it to TESDAT. As a result, analysts classify Earth Kurma as a unique APT group, noting its adaptive use of both open-source and custom tools.

Infrastructural Exploitation and Evasion Strategies:

It exploits legitimate infrastructure, including syssetup.dll and INF files (e.g., SmartFilter.inf), to deploy rootkits. By leveraging trusted cloud platforms like Dropbox and OneDrive for data exfiltration, the group avoids detection. To enhance stealth, they use randomly named loaders in user directories, reflective loading with unique XOR keys, and syscall-based execution (e.g., NtCreateThreadEx). The group also deletes tools like ICMPinger after use and employs memory-resident payloads, minimizing forensic traces and complicating detection and response efforts.

Conclusion:

In conclusion, Earth Kurma is a sophisticated APT group employing advanced tactics to target government and telecommunications sectors in Southeast Asia. The group uses a combination of custom tools, rootkits, and cloud services to maintain persistent access, exfiltrate sensitive data, and evade detection. By exploiting legitimate infrastructure and employing memory-resident payloads, Earth Kurma complicates detection and response efforts. Despite toolset overlaps with other APT groups, the group’s adaptive approach and unique attack patterns highlight its distinct nature and advanced capabilities.