The notorious advanced persistent threat (APT) group ‘Earth Aughisky’ has resurfaced again with a new malware toolset that aims to target East Asian nations, including Taiwan, Japan, and more.
Trend Micro reported the return of the gang last week, where it mentioned that cyber espionage group Earth Aughisky AKA Taidoor, known for its high-profile cases and the ability to break into tier 1 accounts, software, companies, and network infrastructure, had resurfaced.
Sources claim that the threat group is based in China and has primarily targeted users in Taiwan over the last decade. In 2017, cybersecurity organizations detected a pattern of attacks primarily directed toward Taiwan and expanded to Japan.
Earth Aughisky runs wild
In the past, Earth Aughisky has targeted government, telecommunications, manufacturing, heavy industry, technology, and transportation industries. The gang uses a spear-phishing attack style where it enters a network to play next-stage backdoors, simultaneously closing in an attack and limiting the sources and controls over the asset.
The threat actors seem to be using a remote access trojan called the Taidoor (aka Roudan), and have been previously linked to other malware families, including but not limited to GrubbyRAT, K4RAT, LuckDLL, Serkdes, Taikite, and Taleret.
The group has used multiple backdoor campaigns over the years, including a SiyBo that employs public domain services like Gubb and 30 Boxes for command-and-control (C2). Moreover, it also uses the DropNetClient (aka Buxzop) backdoors that leverage the Dropbox API for C2.
According to Trend Micro report, the malware strains use a similar source code, domains, and patterns as the one employed by Earth Aughisky. The cybersecurity firm also linked the threat actor to another APT actor codenamed by Airbus as Pitty Tiger (APT24).
Since 2017, the group has targeted companies and individuals in Japan and Southeast Asia. It continues to drive its campaigns with a new strategy and toolsets that seem to be revamping its malware and attack infrastructure.
CH Lei, a researcher at the cybersecurity firm, said, “Groups like Earth Aughisky have enough resources at their disposal that allow them the flexibility to match their weaponry for long-term implementations of cyber espionage.” Additionally, the report warned organizations of the “lull” phase observed in the group’s functioning as “preparation for when it resumes activity”.