Intel Name: Earth baxia uses spear-phishing and geoserver exploit to target apac
Date of Scan: September 20, 2024
Impact: High
Summary: The threat actor Earth Baxia has targeted a Taiwanese government organization and potentially others in the Asia-Pacific region using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401, which allows remote code execution. They utilized GrimResource and AppDomainManager injection to deploy additional payloads while customizing Cobalt Strike components for evasion. The modified Cobalt Strike included altered signatures and configuration structures. Additionally, they employed a new backdoor called EAGLEDOOR for information gathering and payload delivery, supporting multiple communication protocols.