Earth Kurma APT Uses Rootkits to Target Southeast Asia
Earth Kurma, a new advanced persistent threat group, has launched cyberattacks across Southeast Asia. Since mid-2024, it has targeted government and telecom sectors.
The attackers use powerful rootkits and custom malware to steal sensitive data. They also hide their tracks using trusted platforms like Dropbox and OneDrive. Therefore, detecting these attacks is extremely difficult.
Researchers have observed the group targeting countries like the Philippines, Vietnam, Thailand, and Malaysia. However, other regions may also be at risk. The campaign has evolved since November 2020, showing long-term planning and persistence.
Attackers Use Sophisticated Malware
The group relies on tools like KRNRAT and Moriya. These rootkits operate at the kernel level, making them hard to detect. For example, Moriya watches incoming network traffic and injects code directly into system processes.
KRNRAT, on the other hand, uses features from multiple open-source tools. It hides processes, manipulates files, and executes commands while avoiding detection. These tools create a hidden backdoor into infected systems.
For exfiltration, Earth Kurma uses malware like SIMPOBOXSPY and ODRIZ. These programs upload stolen documents to cloud storage using access tokens. The data includes PDFs, Word files, Excel sheets, and PowerPoint slides.
Before uploading, the files are zipped with a password using WinRAR. The attackers collect them from a temporary folder created on the victim’s machine.
Stealth Tactics Help Avoid Detection
A unique part of the attack is the use of living-off-the-land (LotL) methods. Instead of using suspicious tools, Earth Kurma abuses legitimate Windows components. For example, they use syssetup.dll to install rootkits, making them blend in with normal system behavior.
They also scan the network using tools like NBTSCAN and ICMPinger. Then they move laterally with programs like Ladon and WMIHACKER. This allows them to explore and control other devices within the same network.
Although some tools resemble those from other threat actors, researchers haven’t confirmed any direct links. However, there are notable overlaps in techniques and code reuse.
How to Protect Against These Attacks
Organizations must stay alert to prevent damage from Earth Kurma. First, update all systems and software regularly. Also, monitor for strange behavior in cloud access or admin-level changes.
Using advanced endpoint protection and firewalls can block malware from communicating with its command-and-control servers. Moreover, apply the principle of least privilege across your systems.
Finally, train employees to recognize suspicious files and emails. Awareness, combined with strong security policies, helps reduce the risk of such stealthy intrusions.
Sleep well, we got you covered.
