Telecommunications, government, and energy organizations in Taiwan, South Korea, Thailand, Vietnam, and the Philippines have been subjected to attacks by suspected Chinesse advanced persistent threat operation Earth Baxia involving the novel EAGLEDOOR backdoor, The Hacker News reports.
Aside from leveraging spear-phishing emails, Earth Baxia also exploited the recently addressed critical GeoServer GeoTools flaw, tracked as CVE-2024-36401, and enabled additional payload distribution via GrimResource and AppDomainManager injection before conducting DLL side-loading of EAGLEDOOR, according to an analysis from Trend Micro. EAGLEDOOR utilizes TCP, HTTP, and DNS communications to facilitate victim status transmission to the command-and-control server, while using the Telegram Bot API for file downloads and uploads, as well as further payload execution, reported Trend Micro researchers. "The use of public cloud services for hosting malicious files and the multi-protocol support of EAGLEDOOR highlight the complexity and adaptability of their operations," said researchers.