Rectifyq📃Title: Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors
📅Date: 2025-04-25
🔗References:
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: campaign-analysis
- target: targeted
- MY-relevancy: relevant
- action-taken: diamond-model
🔖MISP Galaxies:
- producer= Trend-Micro
- sector=“Government, Administration”
- sector=“Telecoms”
- region=“035 - South-eastern Asia”
- target-information=“Malaysia”
- target-information=“Philippines”
- target-information=“Thailand”
- target-information=“Vietnam”
- malpedia=“Moriya”
- malpedia=“Ladon”
- malpedia=“Cobalt Strike”
- malpedia=“SManager”
- mitre-course-of-action=“Filter Network Traffic - M1037”
- mitre-course-of-action=“Limit Access to Resource Over Network - M1035”
- mitre-course-of-action=“Password Policies - M1027”
- mitre-course-of-action=“Privileged Account Management - M1026”
- mitre-course-of-action=“Restrict Web-Based Content - M1021”
- threat-actor= Earth-Kurma
- mitre-attack-pattern=[‘T1567.002’, ‘T1056.001’, ‘T1620’, ‘T1021.002’, ‘T1014’]
MISP event uuid: 0ad70cee-9206-4d0d-942d-33f43175f240
Indicator of Compromise (IoCs)
type,value,comment
md5, 72a67ae423be6f28fea0800b43e8d7ae, 'WMIHACKER'
md5, bebbeba37667453003d2372103c45bbf, 'SIMPOBOXSPY'
md5, e00ded614b884035245c26c81e971736, 'DUNLOADER'
md5, 066729fdf942acf829bb00c82d0d98e3, 'DUNLOADER'
md5, 934dd0d8b41d3fbd2d0b53df1d3fd0b9, 'KRNRAT'
md5, 78928b2767d6117c9263f7607b8e14cf, 'TESDAT'
md5, 57f4053f5d673cd7b6e7fe4dd33606ec, 'TESDAT'
md5, bc854390140aa80a363ff0c051a1a7bb, 'MORIYA'
md5, 67165600be58fc451de2059d1d754353, 'NBTSCAN'
md5, 1f276e6545d92a0607dee715b594ef8d, 'ICMPINGER'
md5, dbd7194fc85fcb8b1c7f265ee82619bc, 'TESDAT'
md5, 617ea77bf8f26f79df8dc7d7542fd517, 'DUNLOADER'
md5, 60554308955996496aa1e7c4e4399816, 'LADON'
md5, 199f5ae7304df2ad471b800af76da1ba, 'TESDAT'
md5, fdee6c0e96764496c63f1a0929a7d160, 'FRPC'
md5, e7c16833d3b78d4fcdaf651ecb8b67e8, 'TESDAT'
md5, b1fbdcf9057825ee2fe726798d376e5e, 'DUNLOADER'
md5, 8aa37b228a76dca1f3e02297d9bd6d52, 'MORIYA'
md5, 705ccaefbc25b5de7fe861ea1e9a7238, 'LADON'
md5, 332049620b2946f03c70c4720a249fb6, 'FRPC'
hostname, www.dfsg3gfsga.space, 'C&C'
hostname, www.igtsadlb2ra.pw, 'C&C'
hostname, www.ihyvcs5t.pw, 'C&C'
hostname, www.vidsec.cc, 'C&C'
ip-dst, 103.238.214.88, 'C&C'
ip-dst, 149.28.147.63, 'C&C'
ip-dst, 166.88.194.53, 'C&C'
ip-dst, 185.239.225.106, 'C&C'
ip-dst, 38.147.191.103, 'C&C'
ip-dst, 38.60.199.225, 'C&C'
ip-dst, 45.77.250.21, 'C&C'
sha256, 004adec667373bdf6146e05b9a1c6e0c63941afd38e30c2461eaecb707352466, 'TESDAT No sample in VT\r\nLast check:26/04/2025 No sample in VT\r\nLast check:26/04/2025'
sha256, 0a50587785bf821d224885cbfc65c5fd251b3e43cda90c3f49435bb3323d2a8b, 'TESDAT No sample in VT\r\nLast check:26/04/2025 No sample in VT\r\nLast check:26/04/2025'
sha256, 10898b74b612b1e95826521c5ccf36f7a238f5d181993c3c78c2098fcfdc1f3f, 'TESDAT No sample in VT\r\nLast check:26/04/2025 No sample in VT\r\nLast check:26/04/2025'
sha256, 1f3f384e29eab247ec99d97dfe6a4b67110888e4ad313b75fa9d0beceef87e93, 'KRNRAT No sample in VT\r\nLast check:26/04/2025 No sample in VT\r\nLast check:26/04/2025'
sha256, 1f5f6cc1cbf578412ea5279dbdb432eda251309695513a74de66063ab02789f1, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, 37a397a2482b37d19d58588c0a897a08111b74d122c21542f1bf852ae83e1db0, 'DMLOADER No sample in VT\r\nLast check:26/04/2025'
sha256, 383aa73fe72caf268ce0874ebbcd13fc4c9e1e5c6200cdd66862de7257942cea, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, 398234b692a80a424939e98a2d96a705ce3fd9d61950420b5f2af45890abc48e, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, 45e1138f2b8e822cbd4573cb53104b402ae26dcddb42c70534cf024a8bc6db66, 'DUNLOADER No sample in VT\r\nLast check:26/04/2025'
sha256, 49ab6e2b5e378c74d196aecac4e84c969c800051167c1e33d204531fabd17990, 'KMLOG No sample in VT\r\nLast check:26/04/2025'
sha256, 4ae186ee19d0d3e246dc37ac722a27d5297d2577de59b8583c97897480290bc1, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, 54e14b7742801970c578fad2ec2a193334ca8a17b60ee18dd6ec0fbfc8ce900b, 'SIMPOBOXSPY No sample in VT\r\nLast check:26/04/2025'
sha256, 612a5fcb7620deef45a021140b6c06ab9c0473dce5b7e4a54960e330a00c90f3, 'DUNLOADER No sample in VT\r\nLast check:26/04/2025'
sha256, 6190b13df521306bfa7ee973b864ba304ee0971865a66afbe0b4661c986099f4, 'KMLOG No sample in VT\r\nLast check:26/04/2025'
sha256, 6bbbb227d679ea00f0663c2e261d5649417d08285f9acc1fd80e806ddea08403, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, 6ef3a27fdca386fe093c12146cd854d9ae6b42ca637950ca46bfd364ceab5b53, 'DUNLOADER No sample in VT\r\nLast check:26/04/2025'
sha256, 73afc6af6fdfcaf9832aa2975489271bad7c8ea58679f1a2ddd8f60b44cc4a13, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, 75cc8474abb1d9a06cd8086fede98958653d013fb7ff89bbc32458b022a8fc94, 'DUNLOADER No sample in VT\r\nLast check:26/04/2025'
sha256, 823a0862d10f41524362ba8e8976ddfd4524c74075bd7f3beffa794afb54f196, 'MORIYA No sample in VT\r\nLast check:26/04/2025'
sha256, 85e78a1b0a78e5d921c89241aaadd505d66dc4df29ca7d8a81098f42487ba350, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, 876c822f333e812041af24ae80935a830ca5016f9aaf2e8319ebb6cab1f9d7d0, 'SIMPOBOXSPY No sample in VT\r\nLast check:26/04/2025'
sha256, 8ca1ffbd3cd22b9bead766ebd2a0f7b2d195b03d533bacf0cb8e1b1887af5636, 'KMLOG No sample in VT\r\nLast check:26/04/2025'
sha256, 8e6583cca6dd4a78bdc0387c7f30334ab038e5c77848f708fe578e60dd8d9e00, 'DUNLOADER No sample in VT\r\nLast check:26/04/2025'
sha256, 96b407856889c920a49f921d925118a130b904e99f9fe43a87342c680ffb9f27, 'ODRIZ No sample in VT\r\nLast check:26/04/2025'
sha256, a359a06fbc6b5cf5adf7f53c35145b28f3c8a70f6998631090021825aea08e22, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, aef3407310de48e13575c3d98b660ab7ddafb7efe3f4909682907ac286062392, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, f52d9355b9efb6a1fcb32b890c5c373274df21ce38050d49416f469be95dc783, 'DUNLOADER No sample in VT\r\nLast check:26/04/2025'
Full IOCs available in Rectifyq’s MISP