www.trendmicro.com Open in urlscan Pro
2.19.225.40  Public Scan

URL: https://www.trendmicro.com/en_us/research/24/k/earth-estries.html
Submission Tags: @nominet_threat_intel ip-small-n reference_article_link confidence_medium cluster_83993813 Search All
Submission: On November 28 via api from GB — Scanned from GB

Form analysis 1 forms found in the DOM

<form class="main-menu-search" aria-label="Search Trend Micro">
  <div class="main-menu-search__field-wrapper" id="cludo-search-form">
    <table class="gsc-search-box">
      <tbody>
        <tr>
          <td class="gsc-input">
            <input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
          </td>
        </tr>
      </tbody>
    </table>
  </div>
</form>

Text Content

Business

search close

 * Solutions
   * By Challenge
       
     * By Challenge
         
       * By Challenge
         Learn more
         
     * Understand, Prioritize & Mitigate Risks
         
       * Understand, Prioritize & Mitigate Risks
         
         Improve your risk posture with attack surface management
         
         Learn more
         
     * Protect Cloud-Native Apps
         
       * Protect Cloud-Native Apps
         
         Security that enables business outcomes
         
         Learn more
         
     * Protect Your Hybrid World
         
       * Protect Your Hybrid, Multi-Cloud World
         
         Gain visibility and meet business needs with security
         
         Learn more
         
     * Securing Your Borderless Workforce
         
       * Securing Your Borderless Workforce
         
         Connect with confidence from anywhere, on any device
         
         Learn more
         
     * Eliminate Network Blind Spots
         
       * Eliminate Network Blind Spots
         
         Secure users and key operations throughout your environment
         
         Learn more
         
     * See More. Respond Faster.
         
       * See More. Respond Faster.
         
         Move faster than your adversaries with powerful purpose-built XDR,
         attack surface risk management, and zero trust capabilities
         
         Learn more
         
     * Extend Your Team
         
       * Extend Your Team. Respond to Threats Agilely
         
         Maximize effectiveness with proactive risk reduction and managed
         services
         
         Learn more
         
     * Operationalizing Zero Trust
         
       * Operationalizing Zero Trust
         
         Understand your attack surface, assess your risk in real time, and
         adjust policies across network, workloads, and devices from a single
         console
         
         Learn more
         
   * By Role
       
     * By Role
         
       * By Role
         Learn more
         
     * CISO
         
       * CISO
         
         Drive business value with measurable cybersecurity outcomes
         
         Learn more
         
     * SOC Manager
         
       * SOC Manager
         
         See more, act faster
         
         Learn more
         
     * Infrastructure Manager
         
       * Infrastructure Manager
         
         Evolve your security to mitigate threats quickly and effectively
         
         Learn more
         
     * Cloud Builder and Developer
         
       * Cloud Builder and Developer
         
         Ensure code runs only as intended
         
         Learn more
         
     * Cloud Security Ops
         
       * Cloud Security Ops
         
         Gain visibility and control with security designed for cloud
         environments
         
         Learn more
         
   * By Industry
       
     * By Industry
         
       * By Industry
         Learn more
         
     * Healthcare
         
       * Healthcare
         
         Protect patient data, devices, and networks while meeting regulations
         
         Learn more
         
     * Manufacturing
         
       * Manufacturing
         
         Protecting your factory environments – from traditional devices to
         state-of-the-art infrastructures
         
         Learn more
         
     * Oil & Gas
         
       * Oil & Gas
         
         ICS/OT Security for the oil and gas utility industry
         
         Learn more
         
     * Electric Utility
         
       * Electric Utility
         
         ICS/OT Security for the electric utility
         
         Learn more
         
     * Federal
         
       * Federal
         Learn more
         
     * Automotive
         
       * Automotive
         Learn more
         
     * 5G Networks
         
       * 5G Networks
         Learn more
         
   * Small & Midsized Business Security
       
     * Small & Midsized Business Security
       
       Stop threats with easy-to-use solutions designed for your growing
       business
       
       Learn more
       
 * Platform
   * Vision One Platform
       
     * Vision One Platform
         
       * Trend Vision One
         Our Unified Platform
         
         Bridge threat protection and cyber risk management
         
         Learn more
         
     * AI Companion
         
       * Trend Vision One Companion
         
         Your generative AI cybersecurity assistant
         
         Learn more
         
   * Attack Surface Management
       
     * Attack Surface Management
       
       Stop breaches before they happen
       
       Learn more
       
   * XDR (Extended Detection & Response)
       
     * XDR (Extended Detection & Response)
       
       Stop adversaries faster with a broader perspective and better context to
       hunt, detect, investigate, and respond to threats from a single platform
       
       Learn more
       
   * Cloud Security
       
     * Cloud Security
         
       * Trend Vision One™
         Cloud Security Overview
         
         The most trusted cloud security platform for developers, security
         teams, and businesses
         
         Learn more
         
     * Attack Surface Risk Management for Cloud
         
       * Attack Surface Risk Management for Cloud
         
         Cloud asset discovery, vulnerability prioritization, Cloud Security
         Posture Management, and Attack Surface Management all in one
         
         Learn more
         
     * XDR for Cloud
         
       * XDR for Cloud
         
         Extend visibility to the cloud and streamline SOC investigations
         
         Learn more
         
     * Workload Security
         
       * Workload Security
         
         Secure your data center, cloud, and containers without compromising
         performance by leveraging a cloud security platform with CNAPP
         capabilities
         
         Learn more
         
     * Container Security
         
       * Container Security
         
         Simplify security for your cloud-native applications with advanced
         container image scanning, policy-based admission control, and container
         runtime protection
         
         Learn more
         
     * File Security
         
       * File Security
         
         Protect application workflow and cloud storage against advanced threats
         
         Learn more
         
   * Endpoint Security
       
     * Endpoint Security
         
       * Endpoint Security Overview
         
         Defend the endpoint through every stage of an attack
         
         Learn more
         
     * XDR for Endpoint
         
       * XDR for Endpoint
         
         Stop adversaries faster with a broader perspective and better context
         to hunt, detect, investigate, and respond to threats from a single
         platform
         
         Learn more
         
     * Workload Security
         
       * Workload Security
         
         Optimized prevention, detection, and response for endpoints, servers,
         and cloud workloads
         
         Learn more
         
     * Industrial Endpoint Security
         
       * Industrial Endpoint Security
         Learn more
         
     * Mobile Security
         
       * Mobile Security
         
         On-premises and cloud protection against malware, malicious
         applications, and other mobile threats
         
         Learn more
         
   * Network Security
       
     * Network Security
         
       * Network Security Overview
         
         Expand the power of XDR with network detection and response
         
         Learn more
         
     * XDR for Network
         
       * XDR for Network
         
         Stop adversaries faster with a broader perspective and better context
         to hunt, detect, investigate, and respond to threats from a single
         platform
         
         Learn more
         
     * Network Intrusion Prevention (IPS)
         
       * Network Intrusion Prevention (IPS)
         
         Protect against known, unknown, and undisclosed vulnerabilities in your
         network
         
         Learn more
         
     * Breach Detection System (BDS)
         
       * Breach Detection System (BDS)
         
         Detect and respond to targeted attacks moving inbound, outbound, and
         laterally
         
         Learn more
         
     * Secure Service Edge (SSE)
         
       * Secure Service Edge (SSE)
         
         Redefine trust and secure digital transformation with continuous risk
         assessments
         
         Learn more
         
     * 5G Network Security
         
       * 5G Network Security
         Learn more
         
     * Industrial Network Security
         
       * Industrial Network Security
         Learn more
         
   * Email Security
       
     * Email Security
         
       * Email Security
         
         Stop phishing, malware, ransomware, fraud, and targeted attacks from
         infiltrating your enterprise
         
         Learn more
         
     * Email and Collaboration Security
         
       * Trend Vision One™
         Email and Collaboration Security
         
         Stop phishing, ransomware, and targeted attacks on any email service
         including Microsoft 365 and Google Workspace
         
         Learn more
         
   * OT Security
       
     * OT Security
         
       * OT Security
         
         Learn about solutions for ICS / OT security.
         
         Learn more
         
     * XDR for OT
         
       * XDR for OT
         
         Stop adversaries faster with a broader perspective and better context
         to hunt, detect, investigate, and respond to threats from a single
         platform
         
         Learn more
         
     * Industrial Network Security
         
       * Industrial Network Security
         Industrial Network Security
         
     * Industrial Endpoint Security
         
       * Industrial Endpoint Security
         Learn more
         
   * Threat Insights
       
     * Threat Insights
       
       See threats coming from miles away
       
       Learn more
       
   * Identity Security
       
     * Identity Security
       
       End-to-end identity security from identity posture management to
       detection and response
       
       Learn more
       
   * On-Premises Data Sovereignty
       
     * On-Premises Data Sovereignty
       
       Prevent, detect, respond and protect without compromising data
       sovereignty
       
       Learn more
       
   * All Products, Services, and Trials
       
     * All Products, Services, and Trials
       Learn more
       
 * Research
   * Research
       
     * Research
         
       * Research
         Learn more
         
     * Research, News, and Perspectives
         
       * Research, News, and Perspectives
         Learn more
         
     * Research and Analysis
         
       * Research and Analysis
         Learn more
         
     * Security News
         
       * Security News
         Learn more
         
     * Zero Day Initiatives (ZDI)
         
       * Zero Day Initiatives (ZDI)
         Learn more
         
 * Services
   * Our Services
       
     * Our Services
         
       * Our Services
         Learn more
         
     * Service Packages
         
       * Service Packages
         
         Augment security teams with 24/7/365 managed detection, response, and
         support
         
         Learn more
         
     * Managed XDR
         
       * Managed XDR
         
         Augment threat detection with expertly managed detection and response
         (MDR) for email, endpoints, servers, cloud workloads, and networks
         
         Learn more
         
     * Incident Response
         
       * Incident Response
           
         * Incident Response
           
           Our trusted experts are on call whether you're experiencing a breach
           or looking to proactively improve your IR plans
           
           Learn more
           
       * Insurance Carriers and Law Firms
           
         * Insurance Carriers and Law Firms
           
           Stop breaches with the best response and detection technology on the
           market and reduce clients’ downtime and claim costs
           
           Learn more
           
     * Support Services
         
       * Support Services
         Learn more
         
 * Partners
   * Partner Program
       
     * Partner Program
         
       * Partner Program Overview
         
         Grow your business and protect your customers with the best-in-class
         complete, multilayered security
         
         Learn more
         
     * Partner Competencies
         
       * Partner Competencies
         
         Stand out to customers with competency endorsements that showcase your
         expertise
         
         Learn more
         
     * Partner Successes
         
       * Partner Successes
         Learn more
         
     * Managed Security Service Provider
         
       * Managed Security Service Provider
         
         Deliver modern security operations services with our industry-leading
         XDR
         
         Learn more
         
     * Managed Service Provider
         
       * Managed Service Provider
         
         Partner with a leading expert in cybersecurity, leverage proven
         solutions designed for MSPs
         
         Learn more
         
   * Alliance Partners
       
     * Alliance Partners
         
       * Alliance Partners
         
         We work with the best to help you optimize performance and value
         
         Learn more
         
     * Technology Alliance Partners
         
       * Technology Alliance Partners
         Learn more
         
     * Find Alliance Partners
         
       * Find Alliance Partners
         Learn more
         
   * Partner Resources
       
     * Partner Resources
         
       * Partner Resources
         
         Discover resources designed to accelerate your business’s growth and
         enhance your capabilities as a Trend Micro partner
         
         Learn more
         
     * Partner Portal Login
         
       * Partner Portal Login
         Login
         
     * Trend Campus
         
       * Trend Campus
         
         Accelerate your learning with Trend Campus, an easy-to-use education
         platform that offers personalized technical guidance
         
         Learn more
         
     * Co-Selling
         
       * Co-Selling
         
         Access collaborative services designed to help you showcase the value
         of Trend Vision One™ and grow your business
         
         Learn more
         
     * Become a Partner
         
       * Become a Partner
         Learn more
         
     * Distributors
         
       * Distributors
         Learn more
         
   * Find Partners
       
     * Find Partners
       
       Locate a partner from whom you can purchase Trend Micro solutions
       
       Learn more
       
 * Company
   * Why Trend Micro
       
     * Why Trend Micro
         
       * Why Trend Micro
         Learn more
         
     * Customer Success Stories
         
       * Customer Success Stories
         Learn more
         
     * The Human Connection
         
       * The Human Connection
         Learn more
         
     * Industry Accolades
         
       * Industry Accolades
         Learn more
         
     * Strategic Alliances
         
       * Strategic Alliances
         Learn more
         
   * Compare Trend Micro
       
     * Compare Trend Micro
         
       * Compare Trend Micro
         
         See how Trend outperforms the competition
         
         Let's go
         
     * vs. Crowdstrike
         
       * Trend Micro vs. Crowdstrike
         
         Crowdstrike provides effective cybersecurity through its cloud-native
         platform, but its pricing may stretch budgets, especially for
         organizations seeking cost-effective scalability through a true single
         platform
         
         Let's go
         
     * vs. Microsoft
         
       * Trend Micro vs. Microsoft
         
         Microsoft offers a foundational layer of protection, yet it often
         requires supplemental solutions to fully address customers' security
         problems
         
         Let's go
         
     * vs. Palo Alto Networks
         
       * Trend Micro vs. Palo Alto Networks
         
         Palo Alto Networks delivers advanced cybersecurity solutions, but
         navigating its comprehensive suite can be complex and unlocking all
         capabilities requires significant investment
         
         Let's go
         
   * About Us
       
     * About Us
         
       * About Us
         Learn more
         
     * Trust Center
         
       * Trust Center
         Learn more
         
     * History
         
       * History
         Learn more
         
     * Diversity, Equity and Inclusion
         
       * Diversity, Equity and Inclusion
         Learn more
         
     * Corporate Social Responsibility
         
       * Corporate Social Responsibility
         Learn more
         
     * Leadership
         
       * Leadership
         Learn more
         
     * Security Experts
         
       * Security Experts
         Learn more
         
     * Internet Safety and Cybersecurity Education
         
       * Internet Safety and Cybersecurity Education
         Learn more
         
     * Legal
         
       * Legal
         Learn more
         
     * Investors
         
       * Investors
         Learn more
         
     * Formula E Racing
         
       * Formula E Racing
         Learn more
         
   * Connect With Us
       
     * Connect With Us
         
       * Connect With Us
         Learn more
         
     * Newsroom
         
       * Newsroom
         Learn more
         
     * Events
         
       * Events
         Learn more
         
     * Careers
         
       * Careers
         Learn more
         
     * Webinars
         
       * Webinars
         Learn more
         

Back

Back

Back

Back

 * Free Trials
 * Contact Us

Looking for home solutions?
Under Attack?
1 Alerts

Back
Unread
All


 * Join us at AWS re:Invent for demos and expert-led sessions on AI-powered
   security.
   
   close
   
   Supercharge your security >

Folio (0)
Support
 * Business Support Portal
 * Education and Certification
 * Contact Support
 * Find a Support Partner

Resources
 * AI Security
 * Trend Micro vs. Competition
 * Cyber Risk Assessments
 * What Is?
 * Threat Encyclopedia
 * Cyber Insurance
 * Glossary of Terms
 * Webinars

Log In
 * Vision One
 * Support
 * Partner Portal
 * Cloud One
 * Product Activation and Management
 * Referral Affiliate

Back

arrow_back
search



close

Content has been added to your Folio

Go to Folio (0) close

APT & Targeted Attacks


GAME OF EMPEROR: UNVEILING LONG TERM EARTH ESTRIES CYBER INTRUSIONS

Since 2023, APT group Earth Estries has aggressively targeted key industries
globally with sophisticated techniques and new backdoors, like GHOSTSPIDER and
MASOL RAT, for prolonged espionage operations.

By: Leon M Chang, Theo Chen, Lenart Bermejo, Ted Lee November 25, 2024 Read
time: 14 min (3744 words)

Save to Folio

Subscribe

--------------------------------------------------------------------------------

SUMMARY

 *  
 * Earth Estries, a Chinese APT group, has primarily targeted critical sectors
   like telecommunications and government entities across the US, Asia-Pacific,
   Middle East, and South Africa since 2023.
 * The group employs advanced attack techniques and multiple backdoors, such as
   GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, affecting several Southeast Asian
   telecommunications companies and government entities.
 * Earth Estries exploits public-facing server vulnerabilities to establish
   initial access and uses living-off-the-land binaries for lateral movement
   within networks to deploy malware and conduct long-term espionage.
 * The group has compromised over 20 organizations, targeting various sectors
   including telecommunications, technology, consulting, chemical, and
   transportation industries, as well as government agencies and NGOs in
   numerous countries.
 * Earth Estries uses a complex C&C infrastructure managed by different teams,
   and their operations often overlap with TTPs of other known Chinese APT
   groups, indicating possible use of shared tools from malware-as-a-service
   providers.

Since 2023, Earth Estries (aka Salt Typhoon, FamousSparrow, GhostEmperor and
UNC2286) has emerged as one of the most aggressive Chinese advanced persistent
threat (APT) groups, primarily targeting critical industries such as
telecommunications and government entities in the US, the Asia-Pacific region,
the Middle East, and South Africa. In this blog entry, we will highlight their
evolving attack techniques and analyze the motivation behind their operations,
providing insights into their long-term targeted attacks.

A key finding from our recent investigation is the discovery of a new backdoor,
GHOSTSPIDER, identified during attacks on Southeast Asian telecommunications
companies. We will explore the technical details of GHOSTSPIDER, its impact
across multiple countries, and interesting findings when we were tracking its
command-and-control (C&C) infrastructure. We have also uncovered the group’s use
of the modular backdoor SNAPPYBEE (aka Deed RAT), another tool shared among
Chinese APT groups. 

Furthermore, we discovered that Earth Estries uses another cross-platform
backdoor, which we initially identified during our investigation of Southeast
Asian government incidents in 2020. We named it MASOL RAT based on its PDB
string. We couldn’t link MASOL RAT to any known threat group at the time due to
limited information. However, this year we observed that Earth Estries has been
deploying MASOL RAT on Linux devices targeting Southeast Asian government
networks. More details about MASOL RAT will be provided in this blog entry.

Recently, we also noticed that Microsoft has tracked the APT groups
FamousSparrow and GhostEmperor under the name Salt Typhoon. However, we don’t
have sufficient evidence that Earth Estries is related to the recent news of a
recent Salt Typhoon cyberattack, as we have not seen a more detailed report on
Salt Typhoon. Currently, we can only confirm that some of Earth Estries’
tactics, techniques, and procedures (TTPs) overlap with that of FamousSparrow
and GhostEmperor. 

MOTIVATION

We have observed that Earth Esties has been conducting prolonged attacks
targeting governments and internet service providers since 2020. In mid-2022, we
noticed that the attackers also started targeting service providers for
governments and telecommunications companies. For example, we found that in
2023, the attackers had also targeted consulting firms and NGOs that work with
the U.S. federal government and military. The attackers use this approach to
gather intelligence more efficiently and to attack their primary targets more
quickly. 

Notably, we observed that attackers targeted not only critical services (like
database servers and cloud servers) used by the telecommunications company, but
also their vendor network. We found that they implanted the DEMODEX rootkit on
vendor machines. This vendor is a primary contractor for the region’s main
telecommunications provider, and we believe that attackers use this approach to
facilitate access to more targets.

VICTIMOLOGY

We found that Earth Estries successfully compromised more than 20 organizations
in areas that include the telecommunications, technology, consulting, chemical,
and transportation industries, government agencies, and non-profit organizations
(NGOs). Victims also came from numerous countries, including:

 * Afghanistan
 * Brazil 
 * Eswatini
 * India
 * Indonesia
 * Malaysia
 * Pakistan
 * The Philippines
 * South Africa
 * Taiwan
 * Thailand
 * US
 * Vietnam

Figure 1. Victimology map of Earth Estries
download

INITIAL ACCESS

Earth Estries is aggressively targeting the public-facing servers of victims. We
have observed them exploiting server-based N-day vulnerabilities, including the
following:

    Vulnerability         Description     Ivanti Connect Secure VPN Exploitation
(CVE-2023-46805 and CVE-2024-21887)     A chain of exploits to bypass
authentication, craft malicious requests, and execute arbitrary commands with
elevated privileges.     CVE-2023-48788     Fortinet FortiClient EMS SQL
Injection Vulnerability     CVE-2022-3236     A code injection vulnerability in
the User Portal and Webadmin of Sophos Firewall allows for remote code
execution.     ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and
CVE-2021-27065)     A set of four chained vulnerabilities that perform remote
code execution (RCE) in Microsoft Exchange servers.    

Table 1. The list of vulnerabilities exploited by Earth Estries

After gaining control of the vulnerable server, we observed that the attackers
leveraged living-off-the-land binaries (LOLBINs) like WMIC.exe and PSEXEC.exe
for lateral movement, and deployed customized malware such as SNAPPYBEE,
DEMODEX, and GHOSTSPIDER to conduct long-term espionage activities against their
targets.

CAMPAIGN OVERVIEW

Our analysis suggests that Earth Estries is a well-organized group with a clear
division of labor. Based on observations from multiple campaigns, we speculate
that attacks targeting different regions and industries are launched by
different actors. Additionally, the C&C infrastructure used by various backdoors
seems to be managed by different infrastructure teams, further highlighting the
complexity of the group's operations.

CAMPAIGN ALPHA

Figure 2. Campaign Alpha overview
download

In the attacks we observed last October targeting the Taiwanese government and a
chemical company, we found that the attackers downloaded malicious tools from
their C&C server (23.81.41[.]166). While investigating the download site
(23.81.41[.]166), we found more interesting samples on the C&C server which had
an open directory on port 80.

Figure 3. The C&C with open directory vulnerability
download

The notable samples are listed in Table 2 below, based on our monitoring from
October 2023 to April 2024.

    File         Description     sql.toml     frpc config (C&C server:
165.154.227[.]192)      onedrived.zip     Contains the PowerShell script
ondrived.ps1.     Nsc.exe     The first SNAPPYBEE sample set  
(SNAPPYBEE C&C domain: api.solveblemten[.]com)     123.zip/WINMM.dll    
NortonLog.txt     0202/*     Another SNAPPYBEE sample set (imfsbSvc.exe,
imfsbDll.dll, DgApi.dll, and dbindex.dat).
(SNAPPYBEE C&C domain: esh.hoovernamosong[.]com)     Others     Open-source
hacktools like frpc, NeoReGeorg tunnel, and fscan.    

Table 2. Notable samples

Here is a summary of notable findings:

 * The frpc C&C 165.154.227[.]192 could be linked to an SSL certificate (SHA256:
   2b5e7b17fc6e684ff026df3241af4a651fc2b55ca62f8f1f7e34ac8303db9a31) previously
   used by ShadowPad, which is another shared tool among several Chinese APT
   groups. In addition, the C&C IP address was also mentioned in a Fortinet
   report and indicators of compromise related to the Ivanti exploit.
 * We observed the TTPs used by onedrived.ps1 are similar to those
   of GhostEmperor’s first-stage PowerShell dropper. The only difference is that
   the strings are encoded using base64 algorithm in this new variant.
 * Based on our analysis, although the two sets of samples used different DLL
   hijacking combinations and decoding algorithms to decrypt the payload, we
   found that the backdoor characteristics matched those of the previous
   SNAPPYBEE. (We identified that the decrypted shellcode module header
   signature is 0xDEED4554 and the Main/Root module ID is still 0x20, can be
   seen in Figure 4).

Figure 4. The analysis screenshot of SNAPPYBEE
download

DEMODEX ROOTKIT INFECTION CHAIN

Figure 5. The infection chain of DEMODEX rootkit
download

There are two requirements to analyze the DEMODEX rootkit:

 1. The first-stage PowerShell script requires a decryption key as an argument.
 2. The second-stage service loader uses the computer name as the AES decryption
    key.

Based on our telemetry, we discovered that the attacker used PSEXEC.exe to
execute the following commands to install the DEMODEX rootkit:

> Powershell.exe -ex bypass c:\windows\assembly\onedrived.ps1
> password@123

Notably, we discovered that all components related to the DEMODEX rootkit use
control flow flattening techniques to increase the difficulty of analysis
(Figure 6). 

Figure 6. DEMODEX Anti-analysis techniques (control flow flattening)
download
Figure 7. Core-implant malware configuration (C&C: 103.91.64[.]214)
download

C&C INFRASTRUCTURE ACTIVITIES

While tracking the C&C infrastructure of the aforementioned backdoor, we found
the following notable findings:

 1. We found that one of the SNAPPYBEE C&C domains, api.solveblemten[.]com, has
    WHOIS registration information that overlaps with some indicators of
    compromise (IOCs) mentioned in Mandiant's UNC4841 report. Based on our
    research, we believe that these related C&C domains were likely registered
    by the same provider and shared them in different operations. However, we
    don't have sufficient evidence to consider UNC4841 as one of the subgroups
    related to Earth Estries.
 2. Another SNAPPYBEE C&C domain (esh.hoovernamosong[.]com) resolved to a C&C IP
    address (158.247.222[.]165), which could be linked to a SoftEther domain
    (vpn114240349.softether[.]net). Therefore, we believe the threat actor also
    used SoftEther VPN to establish their operational networks, making it more
    difficult to track their activities.
 3. Notably, we discovered and downloaded victim data from the SNAPPYBEE C&C
    (158.247.222[.]165) with an open directory on 8000 port this February. Based
    on our analysis, we believe the victim data was exfiltrated from a US NGO.
    Most of the victim data is composed of financial, human resources, and
    business-related documents. It's worth noting that the attacker also
    collected data related to multiple military units and federal government
    entities.  

POST-EXPLOITATION FINDINGS

In this campaign, we observed that the attackers primarily used the following
LOLbin tools to gather endpoint information and perform lateral movement to gain
access to more compromised machines.

    Tools         Description      frpc related     
 * WMIC.exe /node:<REDATED> /user:<REDATED> /password:<REDATED> process call
   create "cmd.exe /c expand c:/windows/debug/1.zip
   c:/windows/debug/notepadup.exe
 * cmd.exe /c ping 165.154.227.192 -n 1 > c:\Windows\debug\info.
 * cmd.exe /c c:/windows/debug/win32up.exe -c c:/windows/debug/sql.toml
 * cmd.exe /c wevtutil qe security /format:text
   /q:\"Event[System[(EventID=4624)]\" > c:\windows\debug\info.log

ps.exe (PSEXEC.exe)    
 * C:\Windows\assembly\ps.exe /accepteula \\<REDATED> -u <REDATED> -p <REDATED>
   -s cmd /c c:\Windows\assembly\1.bat
 * WMIC.exe /node:<REDATED> /user:<REDATED> /password:<REDATED> process call
   create "cmd.exe /c c:\Windows\debug\1.bat""

Table 3. LOLbin tools used to gather endpoint information and perform lateral
movement

CAMPAIGN BETA

Figure 8. Campaign Beta overview
download

In this section, we will introduce Earth Estries’ long-term attacks on
telecommunications companies and government entities. According to our research,
most of the victims have been compromised for several years. We believe that in
the early stages, the attackers successfully obtained credentials and control
target machines through web vulnerabilities and the Microsoft Exchange
ProxyLogon exploit chain. We observed that for these long-term targets, the
attackers primarily used the DEMODEX rootkit to remain hidden within the
victims' networks. Notably, in a recent investigation into attacks on
telecommunications companies in Southeast Asia, we discovered a previously
undisclosed backdoor; we have named it GHOSTSPIDER.

GHOSTSPIDER’S TECHNIQUE ANALYSIS

GHOSTSPIDER is a sophisticated multi-modular backdoor designed with several
layers to load different modules based on specific purposes. This backdoor
communicates with its C&C server using a custom protocol protected by Transport
Layer Security (TLS), ensuring secure communication.

Figure 9. The GHOSTSPIDER infection flow
download

Initial infection and stager deployment

Based on our telemetry, we observed that the threat actor installs the
first-stage stager via regsvr32.exe, which is used to install a DLL (with export
names such as core.dll or spider.dll) as a service. The stager is designed to
check for a specific hostname hard-coded in the DLL, ensuring that it only runs
on the targeted machine. Once the stager is executed, it connects to the
stager's C&C server to register a new connection and subsequently receives a
module (DLL export name: login.dll) to load and execute in memory. This login
module collects basic information about the infected endpoint and sends it back
to the stager's C&C server. After this initial phase, the stager enters a
polling mode, waiting for the threat actor's next payload.

Beacon loader deployment

On the infected endpoint, the threat actor deploys a legitimate executable file
alongside a malicious DLL file for DLL search order hijacking. This malicious
DLL, another GHOSTSPIDER module known as the beacon loader (DLL export name:
loader.dll), is used to launch the beacon payload in memory. A scheduled task is
created to launch the executable. The beacon loader contains an encrypted .NET
DLL payload (DLL export name: client.dll), which is decrypted and executed in
memory.

Communication protocol

The communication requests that are used by the GHOSTSPIDER stager follow a
common format. A connection ID is placed in the HTTP header's cookie as
“phpsessid”. The connection ID is calculated using CRC32 or CRC64 with UUID4
values. Figure 10 shows an example of a stager's first request to the C&C
server. 

Figure 10. Example of a stager's first request to the C&C server
download

Here is an example of a decrypted response:

=|did=96A52F5C1F2C2C67|wid=13CF3E8E0E5580EB|act=2|tt=41003562|<f

The data is separated by “|” with the following items:

 *  
 * An unknown prefix
 *  
 * did: the connection ID calculated from the infected machine
 *  
 * wid: the remote ID for a specific connection 
 *  
 * act: an action code
 *  
 * tt: tick count
 *  
 * An unknown suffix

Beacon communication and command codes

Like the stager, the GHOSTSPIDER beacon uses an almost identical format to
communicate with the beacon C&C server to receive command codes. 

Table 4 outlines the command codes supported by the GHOSTSPIDER beacon.

Code Action Description     1      upload     Load and invoke delegate from
received buffer, with 3 methods from delegate: Open / Close / Write     2    
create      Call the Open method from the loaded delegate     3     normal    
Call the Write method from the loaded delegate      4     close     Unload and
remove the delegate     5      update     Update interval value (idle time)    
6     Heartbeat Heartbeat, no action.    

Table 4. Command codes supported by the GHOSTSPIDER beacon

The GHOSTSPIDER beacon is segmented into distinct delegates, each tailored to
specific functions. These modules are retrieved from the C&C server and are
reflectively loaded into memory as dictated by specific command codes.

This modular design significantly enhances the backdoor's flexibility and
adaptability, as individual components can be deployed or updated independently
based on the attacker’s evolving needs. Additionally, it complicates detection
and analysis, as analysts are forced to piece together a fragmented view of the
malware’s full functionality. By isolating different capabilities across
separate modules, GHOSTSPIDER not only reduces its footprint, but also makes it
challenging to construct a comprehensive understanding of its operation and
overall objectives.

THE NEW DEMODEX INFECTION FLOW

This year, we observed that the attackers used another variant of DEMODEX. In
this new installation flow, the attackers no longer use a first-stage PowerShell
script to deploy the additional needed payload. Instead, the required registry
data (the encrypted configuration and the shellcode payload) for installation
are bundled in a CAB file. The CAB bundle will be deleted after installation is
finished. This approach ensures that, even after we collected the first-stage
PowerShell script, the analysis cannot proceed due to the lack of additional
information. We found a report published by another vendor that mentions
findings consistent with our observations.

Figure 11. New DEMODEX infection flow
download
Figure 12. The DEMODEX rootkit installation flow observed in Trend Vision One™
download

ADDITIONAL C&C INFRASTRUCTURE ANALYSIS

Deploying the MASOL backdoor (aka Backdr-NQ) on a Linux server 

While investigating the C&C infrastructure related to Campaign Alpha, we tracked
the associated C&C IP (103.159.133[.]251) to a Linux backdoor (name: dash_board,
SHA256: 44ea2e85ea6cffba66f5928768c1ee401f3a6d6cd2a04e0d681d695f93cc5a1f). Our
analysis confirmed that this sample is linked to the MASOL RAT, which we
identified in 2020 and observed being used to target Southeast Asian government
entities (Figure 13). Based on the backdoor's PDB string
(E:\Masol_https190228\x64\Release\Masol.pdb), we believe the backdoor may have
been developed as early as 2019. We observed the new Linux variant of MASOL in
the wild after 2021. However, we haven’t seen the Windows variant of MASOL after
2021. Currently, we have moderate to high confidence that Earth Estries uses
MASOL RAT to target Linux servers within Southeast Asian governments recent
years.

Figure 13. The extracted MASOL RAT malware configuration
download

Based on the following reasons, we currently only have low confidence that Earth
Estries has previously deployed the MASOL RAT through CVE-2022-3236:

 * Since August of this year, we have observed a new campaign launched by Earth
   Estries targeting Southeast Asian governments. Our Deep Discovery Inspector
   (DDI) detected a compromised Linux server communicating with the MASOL RAT
   C&C. During the same period, we also observed other compromised hosts within
   the same organization communicating with the C&C infrastructure associated
   with the sub-domain of CrowDoor backdoor. We will continue monitoring this
   ongoing campaign and may provide more details after we have completed our
   investigation.
 * We didn’t find any C&C infrastructure that overlaps between our research
   and the Sophos report. Although we only observed limited MASOL RAT IOCs in
   the wild, we cannot rule out the possibility that MASOL RAT is a shared tool
   among limited Chinese APT threat groups.

Additional GHOSTSPIDER C&C infrastructure

Currently, we do not have sufficient evidence to attribute the DEMODEX rootkit
and GHOSTSPIDER as a proprietary backdoor used by Earth Estries. Therefore, we
will only list the C&C infrastructure used by two campaigns discussed above in
the IOC section. However, we discovered some interesting GHOSTSPIDER C&C
infrastructure.

In the certificate used by the GHOSTSPIDER C&C 141.255.164[.]98:2096 (C&C active
timeline: August 2, 2024 to August 22, 2024), we found that one of the
certificate’s alternative names, “palloaltonetworks[.]com”, was mentioned in a
vendor report related to a Inc Ransom attack (Figure 14). Although we haven’t
observed any GHOSTSPIDER-related incidents that links it to Inc Ransom, based on
these OSINT findings, it is possible that Earth Estries may use ransomware in
their operations for espionage or for financial gain.

Figure 14. Certificate used by GHOSTSPIDER
download

ATTRIBUTION

Figure 15. Attribution overview (demonstrates a possible joint operation across
different units)
download

In our first Earth Estries blog entry, we found some TTPs that overlapped
between Earth Estries and FamousSparrow. Since then, we have found the two
campaigns that are related to the DEMODEX rootkit mentioned in GhostEmperor
report. Since we found that the attacker also used SNAPPYBEE, we suspect that
the tools used by Earth Estries might come from different malware-as-a-service
(MaaS) providers. We attribute the two campaigns to Earth Estries with high
confidence based on the following shared TTPs: 

 1. Campaign Alpha and Campaign Beta’s C&C domain shared the same WHOIS
    registration information.
 2. Both campaigns utilized the DEMODEX rootkit and GHOSTSPIDER.
 3. We observed the DEMODEX, SparrowDoor, and CrowDoor used the same C&C
    infrastructure in the past. Additionally, the C&C 27.102.113[.]240 was
    mentioned in the FamousSparrow and GhostEmperor reports. Therefore, we
    believe that Earth Estries has used DEMODEX, GHOSTSPIDER, SparrowDoor and
    CrowDoor. But we’re not sure if these customized backdoors are proprietary
    tools used by Earth Estries, so some of the C&C infrastructure cannot be
    attributed to this threat group.

Based on our telemetry, we observed that the Campaign Alpha actors deployed
another x86 SNAPPYBEE sample set at %SYSTEMROOT%\assembly\imfsbDll.dll (SHA256:
6d64643c044fe534dbb2c1158409138fcded757e550c6f79eada15e69a7865bc) and
%SYSTEMROOT%\assembly\DgApi.dll (SHA256:
25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b) in their
operations on October 10, 2024. We detected the same hashes in two other
government entities.

We also found that one of these government entities had been compromised by
Earth Estries since 2020. Notably, SNAPPYBEE was deployed in the ZINGDOOR attack
chains on October 13, 2024. This is why we believe Earth Estries used distinct
C&C infrastructure for different targets, and that the operations might have
been launched by different teams. Some of the TTPs differ significantly, even
though the same toolset was shared.

It's worth noting that we observed the following C&C infrastructure overlapping
across multiple victim environments. First, we found DEMODEX and Cobalt Strike
beacon samples in the same infected machine. The DEMODEX C&C domain
pulseathermakf[.]com is used by operator of Campaign Beta. The Cobalt Strike
beacon C&C cloudlibraries[.]global[.]ssl[.]fastly[.]net (with the sample
downloaded from the C&C hxxp://103.159.133[.]205/lib3.cab) and the
post-exploitation activity is linked to TrillClient attack chains, which involve
the Hemigate, SparrowDoor, and CrowDoor toolsets.   

Next, we found that the DEMODEX C&C domain pulseathermakf[.]com has been used to
target a Southeast Asian government agency for several years. However, on August
28, 2024, we detected a network connection to pulseathermakf[.]com from a
compromised server belonging to a Southeast Asian telecommunications company
(Campaign Beta). We speculate that the attacker may have made a mistake while
deploying the backdoor. Currently, we observe that the attacker primarily uses
the DEMODEX C&C domains www[.]infraredsen[.]com and imap[.]dateupdata[.]com to
target multiple Southeast Asian telecom companies.

During our investigation of Campaign Beta, we discovered the GHOSTSPIDER
backdoor. Subsequently, while tracking the C&C infrastructure related to
GHOSTSPIDER, we found that the attacker had also tested GHOSTSPIDER on the
Campaign Alpha open directory C&C server 23.81.41[.]166.

Figure 16. The certificate (SHA256:
b63c82fc37f0e9c586d07b96d70ff802d4b707ffb2d59146cf7d7bb922c52e7e) used by
GHOSTPSIDER (Campaign Alpha)
download

CONCLUSION

Earth Estries is one of the most aggressive Chinese APT groups, primarily
targeting critical industries such as telecommunications and government sectors.
Their notable TTPs include exploiting known vulnerabilities and using widely
available shared tools, such as SNAPPYBEE. Earth Estries conducts stealthy
attacks that start from edge devices and extend to cloud environments, making
detection challenging. They employ various methods to establish operational
networks that effectively conceal their cyber espionage activities,
demonstrating a high level of sophistication in their approach to infiltrating
and monitoring sensitive targets.

It is crucial for organizations and their security teams to remain vigilant and
proactively strengthen their cybersecurity defenses against cyberespionage
campaigns. Through technologies like Trend Vision One™, security practitioners
can visualize all organizational components from a single platform, enabling
them to monitor and track tools, behaviors, and payloads as they navigate their
organization's networks, systems, and infrastructure, while simultaneously
detecting and blocking threats as early in the attack or infection process as
possible.

TREND MICRO VISION ONE THREAT INTELLIGENCE

To stay ahead of evolving threats, Trend Micro customers can access a range of
Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat
Insights helps customers stay ahead of cyber threats before they happen and
better prepared for emerging threats. It offers comprehensive information on
threat actors, their malicious activities, and the techniques they use. By
leveraging this intelligence, customers can take proactive steps to protect
their environments, mitigate risks, and respond effectively to threats.

Trend Micro Vision One Intelligence Reports App [IOC Sweeping]

 * Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions 

Trend Micro Vision One Threat Insights App

 * Threat Actors: Earth Estries
 * Emerging Threats: Game of Emperor: Unveiling Long Term Earth Estries Cyber
   Intrusions

HUNTING QUERIES

Trend Micro Vision One Search App

Vision One customers can use the Search App to match or hunt the malicious
indicators mentioned in this blog post with data in their environment.    

Hunting DEMODEX Malware

> objectFilePath:"PsvchostDLL_X64.dll" OR
> objectFilePath:"AesedMemoryBinX64.REG" OR
> objectFilePath:"msmp4dec.dll" OR objectFilePath:"wpccfg.dll" OR
> objectFilePath:"dumpfiskfss.sys" OR
> objectFilePath:"SstpCfs.dll" 

More hunting queries are available for Vision One customers with Threat Insights
Entitlement enabled. 

YARA RULES

Download the YARA rules here. 

INDICATORS OF COMPROMISE

Download the list of IOCs here. This IOC list was last updated on October 31,
2024, during which we observed some of IOCs were still used in the ongoing
campaigns. This is not a comprehensive list of IOCs, because most of the related
components of DEMODEX and GHOSTSPIDER have different file hashes for different
endpoints. We will release more IOCs and hunting queries on the Vision One
platform.

Tags
Latest News | APT & Targeted Attacks | Research


AUTHORS

 * Leon M Chang
   
   Sr. Threat Researcher

 * Theo Chen
   
   Threat Researcher

 * Lenart Bermejo
   
   Threats Analyst

 * Ted Lee
   
   Threat Researcher

Contact Us
Subscribe


RELATED ARTICLES

 * Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha
   Spear-phishing Campaign in 2024
 * Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation
   Analysis With The APT10 Umbrella
 * Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral
   Movement

See all articles


Experience our unified platform for free


 * Claim your 30-day trial

 * 
 * 
 * 
 * 
 * 


RESOURCES

 * Blog
 * Newsroom
 * Threat Reports
 * Find a Partner
 * 
 * 


SUPPORT

 * Business Support Portal
 * Contact Us
 * Downloads
 * Free Trials
 * 
 * 


ABOUT TREND

 * About Us
 * Careers
 * Locations
 * Upcoming Events
 * Trust Center
 * 

Country Headquarters

Trend Micro - United States (US)

225 East John Carpenter Freeway
Suite 1500
Irving, Texas 75062

Phone: +1 (817) 569-8900

Select a country / region

United States expand_more
close

THE AMERICAS

 * United States
 * Brasil
 * Canada
 * México

MIDDLE EAST & AFRICA

 * South Africa
 * Middle East and North Africa

EUROPE

 * België (Belgium)
 * Česká Republika
 * Danmark
 * Deutschland, Österreich Schweiz
 * España
 * France
 * Ireland
 * Italia
 * Nederland
 * Norge (Norway)
 * Polska (Poland)
 * Suomi (Finland)
 * Sverige (Sweden)
 * Türkiye (Turkey)
 * United Kingdom

ASIA & PACIFIC

 * Australia
 * Центральная Азия (Central Asia)
 * Hong Kong (English)
 * 香港 (中文) (Hong Kong)
 * भारत गणराज्य (India)
 * Indonesia
 * 日本 (Japan)
 * 대한민국 (South Korea)
 * Malaysia
 * Монголия (Mongolia) and рузия (Georgia)
 * New Zealand
 * Philippines
 * Singapore
 * 台灣 (Taiwan)
 * ประเทศไทย (Thailand)
 * Việt Nam

Privacy | Legal | Accessibility | Terms of Use | Site map

Copyright ©2024 Trend Micro Incorporated. All rights reserved

Copyright ©2024 Trend Micro Incorporated. All rights reserved


sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk

This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept

More than one instance of Sumo is attempting to start on this page. Please check
that you are only loading Sumo once per page.

✓
Thanks for sharing!
AddToAny
More…

word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word

mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
BDOW!