In a significant development within the cybersecurity landscape, a new Advanced Persistent Threat (APT) group, dubbed Earth Kurma, has been identified as a potent threat to various nations in Southeast Asia. The group employs sophisticated techniques to infiltrate networks, gathering sensitive data and exfiltrating it through established Windows mechanisms.<\/p>

The cybersecurity analysis highlights a critical method utilized by Earth Kurma. After capturing files from targeted systems, the attackers create a password-protected archive, conventionally named after the host computer. This RAR file is then transferred to a specific directory, \DC_server\sysvol\{domain}\Policies\{ID}\user\<\/code>, using the Server Message Block (SMB) protocol. The "sysvol" folder is a crucial component of Active Directory (AD), containing all policies and information related to AD, and is exclusively present on Domain Controller (DC) servers. The attackers strategically move the collected archives into the "sysvol" folder to leverage a built-in Windows feature called Distributed File System Replication (DFSR). This feature facilitates the synchronization of AD policies across multiple DC servers by replicating the contents of the "sysvol" folder, thereby allowing the stolen archives to be disseminated across all DC servers. This enables attackers to exfiltrate data through any server, significantly complicating detection efforts.<\/p>

Our investigation has traced potential roots of this campaign back to two known groups: ToddyCat and Operation TunnelSnake. After a meticulous analysis, we have assigned Earth Kurma a unique designation due to its distinct operations. The APT group ToddyCat was first reported in 2022, with a notable tool referred to as the "tailored loader", which was also discovered on victim machines that were infected by the TESDAT loaders. Despite these findings, we did not locate any process execution logs that connect these loaders, although they do share similar exfiltration PowerShell scripts. Additionally, the tool SIMPOBOXSPY, utilized by Earth Kurma, has been associated with ToddyCat in the past.<\/p>

Both Earth Kurma and ToddyCat have shown a distinct focus on Southeast Asian countries, with ToddyCat's activities beginning as early as 2020. The timelines of their operations exhibit a close correlation with the activities attributed to Earth Kurma. However, it is essential to note that SIMPOBOXSPY is a relatively simple tool that could potentially be shared among different groups, making it challenging to definitively link Earth Kurma directly to ToddyCat.<\/p>

The second APT group that may have connections to Earth Kurma is Operation TunnelSnake, which was first reported in 2021. This group has been known to use a variant of the MORIYA tool, which shares a similar code base with the variant we have identified in relation to Earth Kurma. Nonetheless, there were no observable similarities in the post-exploitation stages between the two groups, making it difficult to establish a direct link.<\/p>

Currently, Earth Kurma remains an active threat, continuing its operations against Southeast Asian targets. The group has demonstrated an ability to adapt to various victim environments, maintaining a stealthy presence while employing previously identified code bases to customize their toolsets. At times, they even exploit the victims own infrastructure to achieve their objectives.<\/p>

To combat such sophisticated threats, security experts recommend implementing stringent security best practices. Organizations should enforce strict driver installation policies, allowing only digitally signed and explicitly approved drivers through Group Policies or application control solutions to mitigate the risk of malicious rootkits. Additionally, reinforcing Active Directory (AD) and DFSR controls is crucial. This involves securing the ADs sysvol directory and closely auditing DFSR replication events to prevent abuse for covert data exfiltration. Furthermore, limiting SMB communications across networks can thwart unauthorized lateral movements and file transfers.<\/p>

For a proactive approach to security, Trend Vision One emerges as a pioneering AI-powered enterprise cybersecurity platform. It centralizes cyber risk exposure management, security operations, and robust layered protection. This comprehensive strategy enables organizations to predict and prevent cyber threats effectively, resulting in improved security outcomes across their digital environments. With a remarkable 92% reduction in ransomware risk and a 99% decrease in detection time, Trend Vision One stands out as a vital resource for security professionals aiming to fortify their defenses. The platform also allows security leaders to benchmark their posture and demonstrate continuous improvements to stakeholders, eliminating critical security blind spots and enhancing the strategic role of security in driving innovation.<\/p>

Trend Vision One further provides customers with access to a range of Intelligence Reports and Threat Insights to stay ahead of emerging threats. These insights equip organizations to prepare for potential cyber incidents by offering detailed information on threat actors, their malicious activities, and their techniques. By leveraging this intelligence, customers can take proactive measures to safeguard their environments, mitigate risks, and respond effectively to threats.