ioc[.]one - OSINT Cyber Threat Intelligence Database

Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC

Tags

country:	China Hong Kong Japan South Korea Thailand Philippines Singapore Vietnam Taiwan
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Appdomainmanager - T1574.014 Cloud Services - T1021.007 Dll Side-Loading - T1574.002 Dns - T1071.004 Dns - T1590.002 Hooking - T1617 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Web Services - T1583.006 Web Services - T1584.006 Tool - T1588.002 Vulnerabilities - T1588.006 Dll Side-Loading - T1073 Hooking - T1179 Remote File Copy - T1105 Powershell - T1086 Hooking Remote File Copy

Show in Graph

Common Information

Type	Value
UUID	39a8185d-cbae-4596-92dd-6f7ecd30e2cf
Fingerprint	b47899d37fa7af4b
Analysis status	DONE
Considered CTI value	0
Text language
Published	Sept. 19, 2024, midnight
Added to db	Sept. 19, 2024, 11:21 a.m.
Last updated	Nov. 16, 2024, 2:10 p.m.
Headline	Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
Title	Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
Detected Hints/Tags/Attributes	83/3/35

Source URLs

	Redirection	Url
Details	Source	https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html
Details	Source	https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html?&web_view=true
Details	Source	https://www.trendmicro.com/en_gb/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html

URL Provider

Details	Provider	Source level domain
Details	trendmicro.com	www.trendmicro.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	99	✔	Cyware News - Latest Cyber News	https://cyware.com/allnews/feed	2024-08-30 22:08
Details	119	✔	Trend Micro Research, News and Perspectives	https://feeds.feedburner.com/TrendMicroSimplySecurity	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	CVE	56	cve-2024-36401
Details	Domain	3	static.krislab.site
Details	Domain	1	invitation1017.zip
Details	Domain	1	invitation0630.zip
Details	Domain	1	invitation0702.zip
Details	File	7	edge.exe
Details	File	9	msedge.dll
Details	File	12	logs.txt
Details	File	3	oncesvc.exe
Details	File	1	systemsetting.dll
Details	File	3	systemsetting.exe
Details	File	5	hook.dll
Details	File	2	eagle.dll
Details	File	93	curl.exe
Details	File	1	c:\users\public\msedge.dll
Details	File	1	c:\users\public\logs.txt
Details	File	1	c:\users\public\edge.exe
Details	File	1	yn.pdf
Details	File	1	c:\users\public\邀請函.pdf
Details	File	409	c:\windows\system32\cmd.exe
Details	File	1	invitation1017.zip
Details	File	1	tw.pdf
Details	File	1	06.pdf
Details	File	1	invitation0630.zip
Details	File	1	invitation0702.zip
Details	File	1	hzm.pdf
Details	File	1	k1.pdf
Details	IPv4	3	167.172.89.142
Details	IPv4	3	152.42.243.170
Details	IPv4	2	167.172.84.142
Details	IPv4	2	188.166.252.85
Details	Url	2	http://167.172.89.142
Details	Url	1	https://static.krislab.site/infodata/msedge.dll
Details	Url	1	https://static.krislab.site/infoda
Details	Url	1	https://static.krislab.site/infodata/yn.pdf