Cybersecurity company Trend Micro said it uncovered a series of cyber intrusions attributed to an advanced persistent threat (APT) group dubbed “Earth Baxia” a suspected China-based threat actor that has been targeting government organizations in Taiwan, as well as other countries across the Asia-Pacific (APAC) region, including the Philippines, South Korea, Vietnam, and Thailand.

The campaign exploits a recently patched critical vulnerability (CVE-2024-36401) in OSGeo's GeoServer GeoTools software. CVE-2024-36401 is a remote code execution vulnerability that allows attackers to download or copy malicious components to compromised systems.

After gaining access, the group used customized versions of the Cobalt Strike framework, further modifying the internal signatures and configuration structure of Cobalt Strike for evasion, making detection by security tools more difficult.

The primary attack vector employed by Earth Baxia is spear-phishing, using carefully tailored phishing emails containing malicious attachments. Once opened, the attachments initiated the exploitation of CVE-2024-36401. The attackers used the GrimResource method to deliver malicious payloads from public cloud services such as Amazon Web Services (AWS).

Additionally, Earth Baxia used the AppDomainManager injection techniques, allowing malicious code to be executed within legitimate application processes. This method makes it harder for security defenses to detect the attack since it does not directly invoke Windows API calls.

The last stage of the attack involved the deployment of a new backdoor, named "EAGLEDOOR," which facilitates communication with command-and-control (C2) servers using multiple protocols for data exfiltration and further payload delivery.

Investigations point to a China-based origin for Earth Baxia. Many of the malicious servers involved in the campaign were hosted on Alibaba Cloud or located in Hong Kong. Furthermore, samples related to the malware were submitted to VirusTotal from China, and a distinctive Cobalt Strike watermark used by the attackers was linked to a small number of machines, predominantly located in China. Earth Baxia’s operations appear to primarily target government agencies, telecommunication companies, and the energy sector across various APAC countries.

However, a decoy document written in simplified Chinese observed in the campaign, suggests that China itself may have been impacted, although the exact sectors affected remain unclear.