China flag
Image: Arthur Wang via Unsplash

China-linked hackers target governments and more in Southeast Asia with new backdoors

A China-linked espionage group has been observed targeting government agencies, educational institutions and the communications industry with two custom backdoors, according to the new research.

Since early 2022, the group — labeled Earth Krahang by researchers — has attacked at least 70 victims across 23 countries, with the primary focus on Southeast Asia. Some of its targets are also located in Europe, America and Africa, according to analysts at the cybersecurity firm Trend Micro.

Earth Krahang appears to be related to another China-backed advanced persistent threat (APT) group tracked as Earth Lusca or RedHotel, which is known for its espionage campaigns against government and educational institutions, religious movements, and pro-democracy and human rights organizations in Hong Kong, as well as  COVID-19 research organizations. 

Researchers suggest that both of these groups are linked to a Chinese security company called I-Soon, which recently had its information leaked on the GitHub repository. The company’s CEO, Wu Haibo, was a member of China’s first hacktivist group and is a well-known hacker.

Hear More: Inside the i-Soon papers and China’s secret world of hackers-for-hire

According to Trend Micro, Earth Lusca and Earth Krahang could be two penetration teams associated with I-Soon. The groups operate independently, using separate infrastructure and unique backdoors, but target a similar range of victims, according to the report.

Tactics and tools

The notable thing about Earth Krahang, researchers said, is that it compromises government agencies to attack other state entities, exploiting the trust between them and evading detection.

For example, the group is abusing government infrastructure to host malicious payloads, route proxy attack traffic and send spearphishing emails to state-related targets using compromised government email accounts.

Some of the phishing email subjects used by the group include: “Malaysian defense minister visits Hungary,” “ICJ public hearings — Guyana vs. Venezuela,” and “About Guyana Procurement Proposal for Taiwan.”

Researchers have found that Earth Krahang retrieves hundreds of email addresses from targets during the reconnaissance phase. In one case, the actor used a compromised mailbox from a government entity to send a malicious attachment to 796 email addresses belonging to the same entity. 

It is likely that the actor discovered the weak credentials of the compromised mailbox using brute-forcing tools. In brute-force attacks, hackers gain unauthorized access to a system by trying every possible combination of characters until the correct one is found. 

Researchers also observed Earth Krahang setting up VPN servers on compromised internet-facing servers to gain access to the private networks of victims and conduct brute-force attacks to obtain email credentials. The credentials obtained through these attacks were then used to exfiltrate victim emails.

The group also conducts vulnerability scanning to discover weaknesses that allow it to deploy web shells and install backdoors. The hackers exploited the bug known as CVE-2023-32315 in Openfire server software and a vulnerability tracked as  CVE-2022-21587 in Oracle Web Applications Desktop Integrator.

During the analysis, researchers discovered that Earth Krahang used two custom backdoors, Reshell and XDealer, during the initial stages of the attacks. They were delivered either through spear-phishing emails or deployed via web shells on compromised servers.

Reshell is a simple backdoor that can collect information, drop files, or execute system commands. XDealer is a more sophisticated tool that can be employed on both Windows and Linux systems. XDealer may have been used in the wild since 2023 and is still under active development, according to researchers.

In total, researchers were able to identify 116 victims targeted by the group, including the 70 that confirmed they were compromised. Foreign Affairs ministries and departments were the group’s top targets. Other victims include telecommunications providers, post offices, logistics platforms, and job services.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.