Since its first documented activity in 2011, advanced persistent threat (APT) group Earth Aughisky’s campaigns continued to plague organizations’ operations and disrupt everyday activities. Trend Micro’s monitoring of the group over the last decade yielded significant patterns for attribution, connections, and even changes. This cyberespionage group expends efforts at evading detection once inside targets’ systems by abusing legitimate accounts, software, applications, and other potential weaknesses in the network design and infrastructure.
Tracking this APT group’s history and continuous activities has allowed researchers and cybersecurity practitioners to learn its movements, technical developments, and potential relationships with other cybercriminal and cyberespionage groups.
Observations of Earth Aughisky’s campaign deployments were primarily found to be focused on organizations in Taiwan, consistently updating its arsenal to circumvent developments in security solutions. Over the last decade, our analyses have observed the malware families’ and tools’ increasing sophistication, until more recent changes in their routines indicated potential changes in the APT’s organization.
We observed that the cyberespionage group began expanding their targets to Japan towards the end of 2017, potentially suggestive of changes in the sponsor’s objectives and real-world organizational structures. This is also evident in the other changes security analysts have tracked occurring in recent years, such as malware arsenal use and infrastructure.
In the research paper, “The Rise of Earth Aughisky: Tracking the Campaigns Taidoor Started,” researchers listed the analysis of all the malware families previously attributed to the group. These studies on the routines and tools documented from previous samples and incidents revealed similarities with a number of malware families and tools that have yet to be attributed to Earth Aughisky or seen being used by other cyberespionage groups.
Here is a summary of the malware families and tools attributed to Earth Aughisky, how each are connected, and brief technical and historical descriptions of each. Click on each of the malware families to find the year of disclosure and a brief description.
The longevity of Earth Aughisky in the cyberespionage world allows cybersecurity researchers and analysts to follow patterns, and even notice subtle changes when they occur. For instance, the recent changes in activity frequency, overlaps in malware and tools attributed to other groups, and even the simplification in codes of known and established malware have attracted attention. These subtle series of deviations have prompted researchers to match real-world changes of known sponsors, take a closer look at other groups, and reference potential changes in motivations and structures.
Over the years, the consistent monitoring of APT group Earth Aughisky enabled cybersecurity researchers to gain insights into the inner workings of other similar cyberespionage groups. The amount of data gathered using various analysis techniques show an overview of motivations, the maturity of their technical skills, and even the plausible real-world connections of incidents. Groups like Earth Aughisky have sufficient resources at their disposal that allow them the flexibility to match their arsenal for long-term implementations of cyberespionage, and organizations should consider this observed downtime from this group’s attacks as a period for preparation and vigilance for when it becomes active again.
Read our full analysis and recommendations on APT group Earth Aughisky in our research “The Rise of Earth Aughisky: Tracking the Campaigns Taidoor Started.” The full list of indicators of compromise (IOCs) can be downloaded here.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.