![]() MirrorKey: An on-memory dynamic link library (DLL) loader.Here is a summary of the new malware and tools we observed from the different incidents: We observed several spearphishing emails masquerading as an invitation for a private or public meeting-like events, which leads to download the malware in the target system. The URL in the spearphishing mail downloads the compressed (.zip) or disc image (.iso) file containing a malicious shortcut file (.lnk) to download another payload. In this campaign, Earth Yako uses a spearphishing link for initial access. Earlier in 2022, their main targets were stakeholders related to economic security, but later expanded to target other sectors such as the energy or economic industry. While consistently targeting researchers, the areas of interest for Earth Yako’s deployment and targeting have varied over time. ![]() We also observed a small number of attacks that appear to have targeted organizations in Taiwan. Since January 2022, we have been observing Earth Yako as it targets researchers in the academe and research think tanks in Japan. This investigation was presented at the JSAC 2023 in Tokyo, Japan. Since we observed related attacks as recent as January 2023, we believe that Earth Yako is still active and will keep targeting more organizations soon. The intrusion set introduced new tools and malware within a short period of time, frequently changing and expanding its attack targets. Upon investigating several incidents, we identified previously unknown malware, tactics, techniques and procedures (TTPs), and infrastructure used by Earth Yako for cyberespionage. Our research points the attribution to the known campaign “ Operation RestyLink” or “ Enelink”. We have since been tracking this series of attacks and identified the new intrusion set we have named “Earth Yako”. ![]() In 2021, we observed several targeted attacks against researchers of academic organizations and think tanks in Japan.
0 Comments
Leave a Reply. |