HQ/EMEAFind out how we can help your business
The dormant ANEL backdoor has seemingly returned to the threat landscape after a group of hackers utilised it in a recent cyber espionage campaign.
The researchers initially discovered the backdoor in a new spear-phishing attack targeting Japanese entities, such as political groups, research institutions, and think tanks. Moreover, one of the most notorious cyber espionage threat groups, Earth Kasha, is the alleged operator of the backdoor. However, the tool was previously associated with the APT10 group but has been dormant since 2018.
The campaign also uses another modular backdoor named NOOPDOOR, indicating that Earth Kasha is adapting various tactics and capabilities to make its attack more efficient.
Spear-phishing emails are the primary vector of the ANEL backdoor infection.
The ANEL backdoor operators utilise spear-phishing emails to infect targeted entities. Researchers believe these emails came from hijacked or free email accounts and included links to malicious OneDrive ZIP files.
The threat actors also use thought-provoking lures written in Japanese to appeal to their targeted audience. Some confirmed subject lines in the phishing emails are the Interview Request Form and Japan’s Economic Security in the Context of Current US-China.
Victims encountered various infection methods throughout the download, including macro-enabled documents, shortcut files, and PowerShell-based payloads. The macro-enabled papers included a malware dropper called ROAMINGMOUSE, which extracted and executed ANEL-related components while bypassing detection using sandbox-aware techniques.
However, the most notable features included in ANEL’s reemergence include encoded payloads in Base64 or HEX format, dynamic DLL sideloading with valid apps, control flow flattening, and junk code insertion for anti-analysis.
After a successful infection process, the backdoor can allow its operators to quickly acquire information by taking screenshots, retrieving network facts, and running system commands. Furthermore, Earth Kasha used NOOPDOOR to secure high-value targets, confirming the campaign’s espionage objectives.
Therefore, the researchers believe that Earth Kasha used the TTPs it previously employed in past operations. The group’s use of the ANEL backdoor is not a coincidence, as its features align with their interest that would compromise Japan’s national security and international relations.
