From cyware.com
The Earth Krahang APT group has been found using a lesser-known RESHELL backdoor, alongside the XDealer backdoor, to infect organizations across the globe. The malware are dropped via spear-phishing emails related to geopolitical affairs.
Modus operandi
As part of the campaign, the attackers use compromised email addresses to send malicious attachments to users in the same organization.
- The emails are sent under the pretext of geopolitical topics, such as “Malaysian Ministry of Defense Circular,” “ICJ public hearings- Guyana vs. Venezuela,” or “Malaysian defense minister visits Hungary,” to lure users.
- The malicious attachment includes a RAR archive containing an LNK file that executes the installers for backdoor malware onto the victims’ system.
- In some cases, the backdoors were found being delivered via web shell on compromised servers.
- Researchers highlighted that the threat actor compromised a government web server and leveraged it to scan vulnerabilities in other government targets.