Summary:
Trend Micro has reported a spear-phishing campaign in Japan linked to Earth Kasha, utilizing the backdoor ANEL and the modular backdoor NOOPDOOR. The campaign targets individuals in political and research sectors, employing various evasion techniques and malware delivery methods. This marks a shift in Earth Kasha’s tactics, focusing on personal rather than enterprise targets.
#EarthKasha #SpearPhishing #CyberThreats
Trend Micro has reported a spear-phishing campaign in Japan linked to Earth Kasha, utilizing the backdoor ANEL and the modular backdoor NOOPDOOR. The campaign targets individuals in political and research sectors, employing various evasion techniques and malware delivery methods. This marks a shift in Earth Kasha’s tactics, focusing on personal rather than enterprise targets.
#EarthKasha #SpearPhishing #CyberThreats
Keypoints:
Trend Micro identified a spear-phishing campaign in Japan since June 2024.
The campaign is attributed to Earth Kasha, utilizing the backdoor ANEL and NOOPDOOR.
Targets include individuals in political organizations and research institutions.
The campaign marks a shift from targeting enterprises to individuals.
Malware delivery methods include macro-enabled documents and disguised shortcut files.
ROAMINGMOUSE is used as a dropper for ANEL-related components.
ANELLDR is a loader that executes ANEL in memory, employing anti-analysis techniques.
Post-exploitation activities include information gathering and deploying additional malware.
Earth Kasha’s tactics and tools have evolved, necessitating ongoing vigilance against their campaigns.
MITRE Techniques:
Initial Access (T1566): Utilizes spear-phishing emails to gain initial access to targets.
Execution (T1203): Executes malicious documents that require macro enabling for infection.
Defense Evasion (T1027): Implements evasion techniques to avoid detection by sandboxes.
Credential Access (T1003): Collects credentials through various means post-infection.
Command and Control (T1071): Uses HTTP-based communication for command and control operations.
Exfiltration (T1041): Gathers sensitive information from the infected environment.
IoC:
[domain] 139[.]84[.]131[.]62
[domain] 139[.]84[.]136[.]105
[domain] 45[.]32[.]116[.]146
[domain] 45[.]77[.]252[.]85
[domain] 208[.]85[.]18[.]4
[file name] ROAMINGMOUSE
[file name] normal_.dotm
[file name] ScnCfg32.exe
[file name] vsodscpl.dll
[file name] ANEL
[tool name] ANELLDR
[tool name] NOOPDOOR
Full Research: https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html