Recent cyber threat analyses have uncovered a sophisticated operation named Earth Kurma, which is actively targeting governmental and institutional entities across Southeast Asia. The threat actors behind this operation have developed a methodical approach to data exfiltration, primarily utilizing a native Windows feature for their malicious endeavors.

After compiling sensitive files into a password-protected archivecommonly named after the host's namethese attackers leverage the SMB (Server Message Block) protocol to copy the archived RAR files into a specific directory: \DC_server\sysvol\{domain}\Policies\{ID}\user\. This folder, known as sysvol, is a crucial component of Active Directory (AD) that houses all of the AD policies and information. Notably, this folder is exclusive to Domain Controller (DC) servers.

It is believed that the attackers strategically place the collected archives into the sysvol folder to exploit a Windows feature known as Distributed File System Replication (DFSR). DFSR is responsible for synchronizing AD policies across multiple DC servers by replicating the contents of the sysvol folder among them. This means that once the stolen archives are stored in sysvol, they can automatically sync across all associated DC servers, facilitating exfiltration through any of these servers.

As part of the analysis, researchers pinpointed potential connections to two notable advanced persistent threat (APT) groups: ToddyCat and Operation TunnelSnake. These links prompted a comprehensive review, leading to the designation of this new campaign as Earth Kurma.

The ToddyCat group, first exposed in 2022, has been known to employ a specialized loader tool that was also detected on victim machines affected by TESDAT loaders. While there were similarities in the exfiltration PowerShell scripts used by both groups, a lack of process execution logs between the two loaders complicated the attribution. The tool SIMPOBOXSPY, utilized by Earth Kurma, had previously been associated with ToddyCat, yet due to the shared characteristics of the tool, a definitive connection could not be established.

Both Earth Kurma and ToddyCat have heavily focused their attacks on Southeast Asian nations, with reports indicating that ToddyCat's activities trace back to 2020, which aligns with the observed timeline of Earth Kurma's operations.

Additionally, the second APT group, Operation TunnelSnake, was first reported in 2021 and is known for employing the MORIYA malware, which shares its code base with the MORIYA variant identified in this investigation. Like ToddyCat, Operation TunnelSnake has also targeted Southeast Asian countries. However, researchers found no significant similarities in the post-exploitation procedures of the two groups.

Currently, Earth Kurma is characterized by its high activity levels and a strong focus on Southeast Asia. The group exhibits a remarkable capability to adapt to the environments of their victims, maintaining a stealthy presence. They are adept at reusing code bases from previous campaigns to customize their toolsets, sometimes capitalizing on the victims infrastructures to achieve their malicious objectives.

To counter such cyber threats, security experts recommend implementing a series of best practices:

• Enforce strict driver installation policies: Only allow digitally signed and explicitly approved drivers via Group Policies or application control solutions to mitigate the risk of malicious rootkits.
• Strengthen Active Directory controls: Secure the ADs sysvol directory and conduct regular audits on DFSR replication events to prevent misuse for covert data exfiltration.
• Limit SMB communications: Restrict the use of the SMB protocol across networks to thwart lateral movement and unauthorized file transfers.

Trend Vision One, an AI-powered enterprise cybersecurity platform, provides organizations with a comprehensive approach to managing cyber risk exposure, enhancing security operations, and offering robust layered protection. This platform empowers organizations to predict and prevent threats effectively, boasting proven results such as a remarkable 92% reduction in ransomware risk and a 99% decrease in detection time. By leveraging Trend Vision One, security leaders can benchmark their posture and demonstrate continuous improvement to stakeholders.

Furthermore, Trend Vision One customers benefit from a wealth of Intelligence Reports and Threat Insights that help them stay ahead of emerging cyber threats. These insights enable organizations to prepare for potential threats by offering comprehensive information on threat actors, their malicious activities, and their tactics. By utilizing this intelligence, businesses can take proactive measures to safeguard their environments and effectively respond to incidents.

For those interested in scanning for potential malware detections associated with Earth Kurma, the following query can be employed:

malName: (*DUNLOADER* OR *TESDAT* OR *DMLOADER* OR *MORIYA* OR *KRNRAT* OR *SIMPOBOXSPY* OR *ODRIZ* OR *KMLOG*) AND eventName: MALWARE_DETECTION

The indicators of compromise related to this cyber threat can be found in dedicated reports, giving organizations the necessary resources to protect against such evolving threats.