Trend Micro has uncovered a campaign by Earth Baku, or APT41, against organizations in the Indo-Pacific region.

The ongoing campaign by Earth Baku  employs multiple attack vectors to target attacks on public and private entities working in certain industries that are based in the Indo-Pacific region. 

It uses attack vectors such as SQL injection, installer tool InstallUtil[.]exe in a scheduled task, a malicious link (LNK) file in email attachment, and exploits of the ProxyLogon vulnerability (CVE-2021-26855) to upload a web shell of China Chopper.

The group used previously unknown shellcode loaders, now known as StealthVector and StealthMutant, along with a backdoor identified as ScrambleCross. The targeted countries are Vietnam, India, Malaysia, Taiwan, the Philippines, and Indonesia. 

Earth Baku’s recent activities were linked with previous campaigns active since November 2018. The older campaign used a different shellcode loader, which was named as LavagokLdr.

Researchers discovered similar codes and techniques between now used StealthVector and LavagokLdr. Both perform a similar method for decryption and signature checking.

The APT group may have hired new experts in software development and low-level programming, along with red-team methods. The group could be planning more campaigns in the near future in Indo-Pacific countries.