Paul Pajo
General Manager (Philippines)
This paper analyzes the Earth Kurma Advanced Persistent Threat (APT) campaign, active since 2020, targeting Southeast Asia’s government and telecommunications sectors. It employs custom malware (KRN- RAT, MORIYA rootkit), kernel-level persistence, and cloud-based exfiltration via Dropbox and OneDrive. We examine its tactics, evaluate its impact on national security and infrastructure, and propose mitigation strategies with regional focus. Potential links to APTs like ToddyCat and TA428 are assessed, alongside attribution challenges. Future research includes AI-driven detection, geopolitical studies, and attribution improvements.
Introduction
Advanced Persistent Threats (APTs) are sophisticated, stealthy cyberattacks by well-resourced actors, such as nation-states, aiming to steal data or disrupt systems over time.
The Earth Kurma APT, identified in 2020, targets Southeast Asia’s government and telecommunications sectors in countries like the Philippines, Vietnam, Thailand, and Malaysia. Using custom malware, rootkits, and cloud exfiltration, it threatens regional security, with increased activity in 2024.
This paper reviews Earth Kurma’s tactics, assesses its risks, and suggests defenses. It also examines connections to other APTs and emphasizes regional cybersecurity cooperation.
Technical Analysis
Earth Kurma employs advanced methods:
- Malware and Tools: KRNRAT (remote access trojan), MORIYA (kernel- level rootkit), and KMLOG (keylogger) are used, alongside TESDAT and SIMPOBOXSPY for data theft.
- Evasion: Reflective DLL loading, XOR encryption, and living-off-the- land tactics evade detection.
- Exfiltration: Data is RAR-compressed and uploaded to Dropbox or OneDrive, mimicking normal traffic.
These tactics enable prolonged, covert espionage.
Comparison with Other APT Groups
Earth Kurma resembles other APTs, though attribution remains unclear:
- ToddyCat: Shares SIMPOBOXSPY and cloud exfiltration, targeting Southeast Asia since 2020.
- Operation TunnelSnake: Uses MORIYA but prioritizes lateral movement over exfiltration.
- TA428 (Vicious Panda): Linked via the Ladon framework, suggesting shared tools.
Tool overlap and obfuscation hinder attribution.
Impact and Risk Assessment
Earth Kurma’s targets create significant risks:
- National Security: Government breaches expose sensitive data to adversaries.
- Infrastructure: Telecommunications compromises threaten services like emergency response or banking.
Its stealth supports ongoing espionage and potential disruption.
Mitigation Strategies
To counter Earth Kurma:
- Threat Detection: Managed detection and response (MDR) systems detect rootkits. Cybots provides regional tools.
- Audits: Regular scans and patching address vulnerabilities.
- Cloud Monitoring: Track suspicious cloud activity.
- Access Controls: Least privilege limits data access.
- Training: Educate staff on phishing risks.
Regional threat sharing bolsters defenses.
Future Areas of Research
Research should target:
- AI-driven tools for detecting rootkits and encrypted exfiltration.
- Cyberespionage’s geopolitical effects in Southeast Asia .
- Forensic methods for APT attribution.
These enhance cybersecurity.
Conclusion
Earth Kurma threatens Southeast Asia with advanced cyberespionage. Ties to other APTs and attribution difficulties highlight the need for robust defenses. Mitigation strategies—EDR, audits, and cooperation—paired with research in detection, geopolitics, and attribution, protect against such threats. Vigilance and innovation secure the region’s digital future.
