Merge pull request #1020 from r0ny123/Earth-Baxia
Some checks are pending
Python application / build (3.10) (push) Waiting to run
Python application / build (3.8) (push) Waiting to run
Python application / build (3.9) (push) Waiting to run

Add Earth Baxia
This commit is contained in:
Alexandre Dulaunoy 2024-09-25 06:25:46 +02:00 committed by GitHub
commit cbe0c24b91
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 15 additions and 1 deletions

View file

@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: *actor* - source: *MISP Project* - total: *736* elements Category: *actor* - source: *MISP Project* - total: *737* elements
[[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]

View file

@ -16688,6 +16688,20 @@
}, },
"uuid": "071d271a-313f-442d-9bf0-10e6eeba0a8e", "uuid": "071d271a-313f-442d-9bf0-10e6eeba0a8e",
"value": "HikkI-Chan" "value": "HikkI-Chan"
},
{
"description": "Earth Baxia is a threat actor opearting out of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.",
"meta": {
"country": "CN",
"refs": [
"https://www.tgsoft.it/news/news_archivio.asp?id=1568",
"https://jp.security.ntt/tech_blog/appdomainmanager-injection",
"https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt"
]
},
"uuid": "d0c2cd99-64d5-406f-abd7-16b9e27966a7",
"value": "Earth Baxia"
} }
], ],
"version": 313 "version": 313