Related Families: Roudan/Taidoor, LuckDLL, GrubbyRAT, Taikite, SiyBot, Taleret, Serkdes, Buxzop
Verticals Targeted: Government, Technology, Transportation, Telecommunications, Manufacturing, Healthcare, Heavy Industries
Trend Micro recently reported on Earth Aughisky and the myriad of tools used by this threat actor group.
- Earth Aughsky is a Chinese nexus threat actor group thought to operate on behalf of the Chinese government.
- The group has targeted multiple verticals but typically limits its targeting to Taiwan and Japan.
- The group uses a myriad of tools in its arsenal, including Roudan/Taidoor, LuckDLL, GrubbyRAT, Taikite, SiyBot, Taleret, Serkdes, and Buxzop.
Earth Aughisky, also known as Taidoor, is a Chinese nexus threat actor group thought to operate on behalf of the Chinese government. The group has been active for over 10 years and has used a variety of TTPs, including Serkdes, Buxzop, Taikite, K4RAT, LuckDLL, Kuangdao, Specas, GrubbyRAT, Taleret, GOORAT, Roudan, SiyBot, ASRWEC, Comeon, Illitat, and TWTRAT. Trend Micro reported some of these tools to have multiple degrees of overlap, including infrastructure, function, payload and downloader, strings, incidents, loaders and droppers, and campaign codes. Historically, Earth Aughisky has primarily targeted entities in Taiwan and Japan. Verticals targeted include government, technology, transportation, telecommunications, manufacturing, healthcare, and heavy industries.
Malware Families Used
Earth Aughisky is known to use a myriad of malware in its arsenal, including but not limited to the following malware families.
Roudan/TaidoorRoudan, also known as Taidoor, is the original backdoor malware linked to the group over 10 years ago. The Malware has evolved over the years. It uses an encoded MAC address and data.
LuckDLL is a backdoor first observed in the wild in 2020. Its public key is embedded in the malware configuration and communicates with the C2. The malware generates a random session key and initialization vector to encrypt traffic.
Earth Aughisky uses GrubbyRAT in certain targeted attacks. The configuration file is installed under an existing application or legitimate system folder and uses the same file name as the component. Trend Micro notes this RAT appears to be manually installed after the threat actor has gained admin on the victim machine.
Taikite, also known as SVCMONDR, was identified as early as 2015. Trend Micro recently associated it with Earth Aughisky activity.
SiyBot was also recently associated with Earth Aughisky. Trend Micro notes this malware was only used in a limited number of attacks and appears to have limited functionality. It uses earlier versions of Gubb and 30 Boxes for C2 communication.
Taleret, also known as Dalgan, was first observed in the wild in 2013. It searches for C2 configurations on public blogs and uses XXXXX or ARTEMIS to locate the configuration. There are also web services embedded in the malware. Trend Micro found C2 overlap between Taleret, Roudan, and Taikite.
Serkdes, also known as Yalink, was first reported in 2018. It was observed in multiple Taidoor-related incidents. It is capable of loading the configuration from the file sysconf.dll using the executable GetPrivateProfileStruct. It was primarily used on targets in Japan. Trend Micro notes this malware seems to be used by multiple threat actor groups.
Buxzop, also known as DropNetClient, reportedly uses a DropBox API for C2 communication. It embeds a DropBox secret and encodes it with a custom algorithm. It also creates a folder used for uploading victim data.
PolySwarm has multiple samples of malware associated with Earth Aughisky activity.
You can use the following CLI command to search for Earth Aughisky samples in our portal:
$ polyswarm link list -f EarthAughisky
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports