Trend Micro researchers have uncovered a cyberespionage campaign being perpetrated by Earth Baku, an advanced persistent threat (APT) group with a known history of carrying out cyberattacks under the alias APT41. This is not the group’s first foray into cyberespionage, and its long list of past cybercrimes also includes ransomware and cryptocurrency mining attacks.
Earth Baku deploys its ongoing campaign, which can be traced to as far back as July 2020, through multiple attack vectors that are designed based on different exploits or the infrastructure of its targeted victim’s environment:
- SQL injection to upload a malicious file
- Installment through InstallUtil.exe in a scheduled task
- Possibly a malicious link (LNK) file sent as an email attachment
- Exploitation of the ProxyLogon vulnerability CVE-2021-26855 to upload a China Chopper web shell
Source: Trend Micro