Earth Berberoka  (Back to overview)

According to TrendMicro, Earth Berberoka is a threat group originating from China that mainly focuses on targeting gambling websites. This group's campaign uses multiple malware families that target the Windows, Linux, and macOS platforms that have been attributed to Chinese-speaking actors. Aside from using tried-and-tested malware families that have been upgraded, such as PlugX and Gh0st RAT, Earth Berberoka has also developed a brand-new complex, multistage malware family, which has been dubbed PuppetLoader.

---

Associated Families

---

References

2022-08-12 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší @online{lunghi:20220812:iron:c55d0cd, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users}}, date = {2022-08-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html}, language = {English}, urldate = {2022-08-18} } Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users Rshell HyperBro

2022-05-23 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší @techreport{lunghi:20220523:operation:e3c402b, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Operation Earth Berberoka}}, date = {2022-05-23}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf}, language = {English}, urldate = {2022-07-25} } Operation Earth Berberoka reptile oRAT Ghost RAT PlugX pupy Earth Berberoka

2022-05-07 ⋅ YouTube (botconf eu) ⋅ Daniel Lunghi, Jaromír Hořejší @online{lunghi:20220507:operation:749c341, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Operation Gamblingpuppet: Analysis Of A Multiplatform Campaign Targeting Online Gambling Customers}}, date = {2022-05-07}, organization = {YouTube (botconf eu)}, url = {https://www.youtube.com/watch?v=QXGO4RJaUPQ}, language = {English}, urldate = {2022-07-25} } Operation Gamblingpuppet: Analysis Of A Multiplatform Campaign Targeting Online Gambling Customers Earth Berberoka

2022-04-27 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší @online{lunghi:20220427:new:9068f6e, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware}}, date = {2022-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html}, language = {English}, urldate = {2023-04-18} } New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware HelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka

2022-04-27 ⋅ Trendmicro ⋅ Trendmicro @online{trendmicro:20220427:iocs:18f7e31, author = {Trendmicro}, title = {{IOCs for Earth Berberoka - Windows}}, date = {2022-04-27}, organization = {Trendmicro}, url = {https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt}, language = {English}, urldate = {2022-07-25} } IOCs for Earth Berberoka - Windows AsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka

2022-04-27 ⋅ Trendmicro ⋅ Trendmicro @online{trendmicro:20220427:iocs:0e6090d, author = {Trendmicro}, title = {{IOCs for Earth Berberoka - MacOS}}, date = {2022-04-27}, organization = {Trendmicro}, url = {https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt}, language = {English}, urldate = {2022-07-25} } IOCs for Earth Berberoka - MacOS oRAT Earth Berberoka

2022-04-27 ⋅ Trendmicro ⋅ Trendmicro @online{trendmicro:20220427:iocs:8ae9d53, author = {Trendmicro}, title = {{IOCs for Earth Berberoka}}, date = {2022-04-27}, organization = {Trendmicro}, url = {https://documents.trendmicro.com/assets/txt/earth-berberoka-domains-2.txt}, language = {English}, urldate = {2022-07-25} } IOCs for Earth Berberoka Earth Berberoka

2022-04-27 ⋅ Trendmicro ⋅ Trendmicro @online{trendmicro:20220427:iocs:b6d7ab5, author = {Trendmicro}, title = {{IOCs for Earth Berberoka - Linux}}, date = {2022-04-27}, organization = {Trendmicro}, url = {https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt}, language = {English}, urldate = {2022-07-25} } IOCs for Earth Berberoka - Linux Rekoobe pupy Earth Berberoka

2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší @techreport{lunghi:20220427:operation:bdba881, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Operation Gambling Puppet}}, date = {2022-04-27}, institution = {Trendmicro}, url = {https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf}, language = {English}, urldate = {2022-07-25} } Operation Gambling Puppet reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka

---

Credits: MISP Project