Insights, news, education and announcements from PolySwarm

Earth Aughisky's Malware Arsenal

Written by PolySwarm Tech Team | Oct 24, 2022 5:58:51 PM

Related Families: Roudan/Taidoor, LuckDLL, GrubbyRAT, Taikite, SiyBot, Taleret, Serkdes, Buxzop

Verticals Targeted: Government, Technology, Transportation, Telecommunications, Manufacturing, Healthcare, Heavy Industries

Executive Summary

Trend Micro recently reported on Earth Aughisky and the myriad of tools used by this threat actor group.

Key Takeaways

  • Earth Aughsky is a Chinese nexus threat actor group thought to operate on behalf of the Chinese government.
  • The group has targeted multiple verticals but typically limits its targeting to Taiwan and Japan.
  • The group uses a myriad of tools in its arsenal, including Roudan/Taidoor, LuckDLL, GrubbyRAT, Taikite, SiyBot, Taleret, Serkdes, and Buxzop.
Who is Earth Aughisky?

Earth Aughisky, also known as Taidoor, is a Chinese nexus threat actor group thought to operate on behalf of the Chinese government. The group has been active for over 10 years and has used a variety of TTPs, including Serkdes, Buxzop, Taikite, K4RAT, LuckDLL, Kuangdao, Specas, GrubbyRAT, Taleret, GOORAT, Roudan, SiyBot, ASRWEC, Comeon, Illitat, and TWTRAT. Trend Micro reported some of these tools to have multiple degrees of overlap, including infrastructure, function, payload and downloader, strings, incidents, loaders and droppers, and campaign codes. Historically, Earth Aughisky has primarily targeted entities in Taiwan and Japan. Verticals targeted include government, technology, transportation, telecommunications, manufacturing, healthcare, and heavy industries.

Malware Families Used

Earth Aughisky is known to use a myriad of malware in its arsenal, including but not limited to the following malware families.

Roudan/TaidoorRoudan, also known as Taidoor, is the original backdoor malware linked to the group over 10 years ago. The Malware has evolved over the years. It uses an encoded MAC address and data.

LuckDLL
LuckDLL is a backdoor first observed in the wild in 2020. Its public key is embedded in the malware configuration and communicates with the C2. The malware generates a random session key and initialization vector to encrypt traffic.

GrubbyRAT
Earth Aughisky uses GrubbyRAT in certain targeted attacks. The configuration file is installed under an existing application or legitimate system folder and uses the same file name as the component. Trend Micro notes this RAT appears to be manually installed after the threat actor has gained admin on the victim machine.

Taikite
Taikite, also known as SVCMONDR, was identified as early as 2015. Trend Micro recently associated it with Earth Aughisky activity.

SiyBot
SiyBot was also recently associated with Earth Aughisky. Trend Micro notes this malware was only used in a limited number of attacks and appears to have limited functionality. It uses earlier versions of Gubb and 30 Boxes for C2 communication.

Taleret
Taleret, also known as Dalgan, was first observed in the wild in 2013. It searches for C2 configurations on public blogs and uses XXXXX or ARTEMIS to locate the configuration. There are also web services embedded in the malware. Trend Micro found C2 overlap between Taleret, Roudan, and Taikite.

Serkdes
Serkdes, also known as Yalink, was first reported in 2018. It was observed in multiple Taidoor-related incidents. It is capable of loading the configuration from the file sysconf.dll using the executable GetPrivateProfileStruct. It was primarily used on targets in Japan. Trend Micro notes this malware seems to be used by multiple threat actor groups.

Buxzop
Buxzop, also known as DropNetClient, reportedly uses a DropBox API for C2 communication. It embeds a DropBox secret and encodes it with a custom algorithm. It also creates a folder used for uploading victim data.

IOCs

PolySwarm has multiple samples of malware associated with Earth Aughisky activity.

353ba074ad58985bc1383e557dfbec8785c80d81900094af9f70e3afb7ca8a9c

871cb0b02214a5f9c394220af40b5da302f176fb5f1cc5ff1fdd9fa3582b3ee2

57df5a83dfcbe8ed656e6fe146508625edbe9c5f476c24ca8b4a669be270179d

F3dd7b30daca1ea58060124cba263b3aea62c320f12b1354338bf9fb8405575a

08909439d1f7c15c17d231154a8983525f9ce6dbf9ad2ae5c93b3e2cbed69aea

19570ad17429ba8995f2afa2ed635eafe06a4da290a663487ef053d097759b4d

273e1b31020f0171e8acea4348fbef98fb8fc2c1dcd98afce729694b20de877c

341c615f25657daf40087808060b2e1bcaf879c8cdd4e659636a231cc32348dd

35228ac8ba165be86d5a42dae59db92b6d94060cd99f78f12eee8eb02c1388d6

50b9c5b1013b086320b296e7b18e0a0bd305dbc815058dd3b495f4507af5b77b

5f80c0354abb5bcde65073b41fc21262dc331dbf8d6240861e1efcb9d054397e

69802ebba3dec1d7302235a3745b4621afa0bd98b5e6e5587b7faf4a1853843e

15a15ca80d72667e2d140a59dd155afcb9e88be3621715c5d89f9c69ed20e3f5

49d426c39451448f4e283d9610043270c4beec6266e0084abd15fe39f86ecb1e

723314d0b8ba1807f50da159e8892b637d25a921cc291c7025d941935de8e18c

B0223da6002cc9e208c998865b5dcd5529844fc27973e35c191ce6bba9d8c1e3

C2c0bfdea4c2eaf5c03b80a27d7a23decf9429c0142a62f62b179e87fbf5b542

d7ee0ebddb3944c2f3e9790e79392ce0d320e50087e9ac1cf3073b9f8ca9f6fe

You can use the following CLI command to search for Earth Aughisky samples in our portal:

$ polyswarm link list -f EarthAughisky

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports