www.trendmicro.com
Open in
urlscan Pro
23.206.209.41
Public Scan
URL:
https://www.trendmicro.com/de_de/research/24/k/earth-estries.html
Submission: On November 26 via api from IN — Scanned from DE
Submission: On November 26 via api from IN — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>Text Content
Unternehmen
search close
* Lösungen
* Nach Aufgabe
* Nach Aufgabe
* Nach Aufgabe
Mehr erfahren
* NIS2-Richtlinie
* NIS2-Richtlinie
Mehr erfahren
* Risiken verstehen, priorisieren und eindämmen
* Risiken verstehen, priorisieren und eindämmen
Minimieren Sie Risiken durch Angriffsflächenmanagement.
Mehr erfahren
* Schutz für Cloud-native Anwendungen
* Schutz für Cloud-native Anwendungen
Genießen Sie Sicherheit, die positive Geschäftsergebnisse ermöglicht.
Mehr erfahren
* Schutz für Ihre Hybrid Cloud
* Schützen Sie Ihre Hybrid- und Multi-Cloud-Welt
Gewinnen Sie Transparenz und erfüllen Sie Geschäftsanforderungen in
puncto Sicherheit.
Mehr erfahren
* Schutz Ihrer verteilten Belegschaft
* Schutz Ihrer verteilten Belegschaft
Ermöglichen Sie überall und auf jedem Gerät sichere Verbindungen.
Mehr erfahren
* Beseitigen Sie blinde Flecken im Netzwerk
* Beseitigen Sie blinde Flecken im Netzwerk
Schützen Sie Anwender und wichtige Abläufe in Ihrer gesamten Umgebung.
Mehr erfahren
* Mehr sehen. Schneller reagieren.
* Mehr sehen. Schneller reagieren.
Bleiben Sie der Konkurrenz einen Schritt voraus – mit leistungsstarken,
speziell entwickelten XDR-Funktionen, Angriffsflächenmanagement und
Zero-Trust-Funktionen
Weitere Informationen
* Erweitern Sie Ihr Team
* Erweitern Sie Ihr Team. Reagieren Sie agil auf Bedrohungen.
Maximieren Sie Ihre Effektivität mit proaktiver Risikoeindämmung und
Managed Services.
Weitere Informationen
* Operationalisierung von Zero-Trust-Funktionen –
* Operationalisierung von Zero-Trust-Funktionen –
Verstehen Sie Ihre Angriffsfläche und bewerten Sie Ihr Risiko in
Echtzeit. Passen Sie Richtlinien für das gesamte Netzwerk, alle
Arbeitslasten und Geräte von einer einzigen Konsole aus an.
Mehr erfahren
* Nach Rolle
* Nach Rolle
* Nach Rolle
Mehr erfahren
* CISO
* CISO
Steigern Sie Ihren Geschäftswert durch messbare Ergebnisse zur
Cybersicherheit.
Mehr erfahren
* SOC-Manager
* SOC-Manager
Mehr erkennen, schneller reagieren
Mehr erfahren
* Infrastrukturmanager
* Infrastrukturmanager
Entwickeln Sie Ihr Sicherheitskonzept weiter, um Bedrohungen schnell
und effektiv zu erkennen.
Mehr erfahren
* Cloud-Entwickler
* Cloud-Entwickler
Stellen Sie sicher, dass Code nur erwartungsgemäß ausgeführt wird.
Mehr erfahren
* Cloud-SecOps
* Cloud-SecOps
Gewinnen Sie mehr Transparenz und Kontrolle mit Sicherheitslösungen,
die speziell für Cloud-Umgebungen entwickelt wurden.
Mehr erfahren
* Nach Branche
* Nach Branche
* Nach Branche
Mehr erfahren
* Gesundheitswesen
* Gesundheitswesen
Schutz von Patientendaten, Geräten und Netzwerken bei gleichzeitiger
Einhaltung der Vorschriften
Weitere Informationen
* Fertigung
* Fertigung
Schutz von Produktionsumgebungen – von traditionellen Geräten bis hin
zu hochmodernen Infrastrukturen
Weitere Informationen
* Öl und Gas
* Öl und Gas
ICS-/OT-Sicherheit für Versorgungsbetriebe in der Öl- und Gasbranche
Mehr erfahren
* Stromerzeugung
* Stromerzeugung
ICS-/OT-Sicherheit für Stromerzeugungsbetriebe
Mehr erfahren
* Automobilbranche
* Automobilbranche
Mehr erfahren
* 5G-Netze
* 5G-Netze
Mehr erfahren
* Öffentlicher Sektor & Gesundheitswesen
* Öffentlicher Sektor & Gesundheitswesen
Weitere Informationen
* Sicherheit für kleine und mittelständische Unternehmen
* Sicherheit für kleine und mittelständische Unternehmen
Stoppen Sie Bedrohungen mit benutzerfreundlichen Lösungen, die für Ihr
wachsendes Unternehmen entwickelt wurden
Weitere Informationen
* NIS2 & ISG & LSI
* NIS2-Richtlinie
* NIS2-Richtlinie
Mehr erfahren
* ISG – Informationssicherheitsgesetz
* ISG – Informationssicherheitsgesetz
Mehr erfahren
* LSI - Loi sur la Sécurité de l'Information
* LSI - Loi sur la Sécurité de l'Information
Mehr erfahren
* Plattform
* Vision One Plattform
* Vision One Plattform
* Trend Vision One
Einheitliche Plattform
Verbindet den Schutz vor Bedrohungen und das Management des
Cyberrisikos
Weitere Informationen
* Companion-KI
* Trend Vision One Companion
Ihr Cybersicherheitsassistent mit generativer KI
Weitere Informationen
* Endpunktsicherheit
* Endpunktsicherheit
* Endpunktsicherheit – Übersicht
Schützen Sie Ihre Endpunkte in jeder Phase eines Angriffs
Weitere Informationen
* Industrial Endpoint Security
* Industrial Endpoint Security
Mehr erfahren
* Workload Security
* Workload Security
Optimierte Prävention, Erkennung und Reaktion für Endpunkte, Server und
Cloud-Workloads
Weitere Informationen
* Mobile Security
* Mobile Security
Schützen Sie sich gegen Malware, schädliche Anwendungen und andere
mobile Bedrohungen, on Premises und in der Cloud.
Weitere Informationen
* XDR for Endpoint
* XDR for Endpoint
Stoppen Sie Angriffe schneller. Nutzen Sie eine breitere Perspektive
und besseren Kontext, um Bedrohungen auf einer einzigen Plattform zu
jagen, zu entdecken, zu untersuchen und auf sie zu reagieren.
Weitere Informationen
* Cloud Security
* Cloud Security
* Trend Vision One™
Cloud-Sicherheit – Übersicht
Bauen Sie auf die bewährte Cloud-Sicherheitsplattform für Entwickler,
Sicherheitsteams und Unternehmen.
Weitere Informationen
* Workload Security
* Workload Security
Schützen Sie Ihr Rechenzentrum, die Cloud und Container ohne
Leistungseinbußen – nutzen Sie eine Cloud-Sicherheitsplattform mit
CNAPP-Funktionen
Mehr erfahren
* Container Security
* Container-Sicherheit
Vereinfachen Sie die Sicherheit für Ihre Cloud-nativen Anwendungen
durch erweitertes Container-Image-Scanning, richtlinienbasierte
Zugriffssteuerung und Container-Laufzeitschutz.
Mehr erfahren
* File Security
* File Security
Schützen Sie Anwendungsworkflows und Cloud-Speicher vor neuen und
komplexen Bedrohungen
Mehr erfahren
* Angriffsflächen-Risikomanagement für die Cloud
* Angriffsflächen-Risikomanagement für die Cloud
Erkennung von Cloud-Assets, Priorisieren von Schwachstellen, Management
des Cloud-Sicherheitsstatus und Angriffsflächenmanagement – alles in
einem
Weitere Informationen
* XDR für die Cloud
* XDR für die Cloud
Erweiterung der Transparenz auf die Cloud und Optimierung von
SOC-Untersuchungen
Weitere Informationen
* Netzwerksicherheit
* Netzwerksicherheit
* Network Security – Übersicht
Erweitern Sie die Leistungsfähigkeit von XDR durch Network Detection
and Response (NDR).
Mehr erfahren
* Network Intrusion Prevention (IPS)
* Network Intrusion Prevention (IPS)
Schutz vor bekannten, unbekannten und noch nicht offengelegten
Sicherheitslücken in Ihrem Netzwerk
Mehr erfahren
* Breach Detection System (BDS)
* Breach Detection System (BDS)
Erkennen Sie gezielte Angriffe im eingehenden, ausgehenden und
lateralen Datenverkehr und reagieren Sie darauf.
Mehr erfahren
* Secure Service Edge (SSE)
* Secure Service Edge (SSE)
Definieren Sie Vertrauen neu und sorgen Sie durch kontinuierliche
Risikobewertungen für eine sichere digitale Transformation.
Mehr erfahren
* Industrial Network Security
* Industrial Network Security
Mehr erfahren
* XDR für Netzwerke
* XDR für Netzwerke
Stoppen Sie Angriffe schneller. Nutzen Sie eine breitere Perspektive
und besseren Kontext, um Bedrohungen auf einer einzigen Plattform zu
jagen, zu entdecken, zu untersuchen und auf sie zu reagieren.
Weitere Informationen
* 5G-Netzwerksicherheit
* 5G-Netzwerksicherheit
Weitere Informationen
* End-of-Support-Plattformen und -Betriebssysteme
* End-of-Support-Plattformen und -Betriebssysteme
Mehr erfahren
* Alle Produkte, Services und Testversionen
* Alle Produkte, Services und Testversionen
Weitere Informationen
* Angriffsflächenmanagement
* Angriffsflächenmanagement
Datenlecks frühzeitig verhindern
Weitere Informationen
* E-Mail-Sicherheit
* E-Mail-Sicherheit
* E-Mail-Sicherheit
Stoppen Sie die Infiltration Ihres Unternehmens durch Phishing,
Malware, Ransomware, Betrug und gezielte Angriffe
Weitere Informationen
* Schutz für E-Mail und Kollaboration
* Trend Vision One™
Schutz für E-Mail und Kollaboration
Stoppen Sie Phishing, Ransomware und gezielte Angriffe auf jeden
E-Mail-Service, einschließlich Microsoft 365 und Google Workspace
Weitere Informationen
* XDR (Extended Detection and Response)
* XDR (Extended Detection and Response)
Stoppen Sie Angriffe schneller. Nutzen Sie eine breitere Perspektive und
besseren Kontext, um Bedrohungen auf einer einzigen Plattform zu jagen,
zu entdecken, zu untersuchen und auf sie zu reagieren.
Mehr erfahren
* Threat Insights
* Einblicke in Bedrohungen
Erkennen Sie Bedrohungen schon von Weitem
Weitere Informationen
* OT-Sicherheit
* OT-Sicherheit
* OT-Sicherheit
Lernen Sie Lösungen für ICS-/OT-Sicherheit kennen.
Weitere Informationen
* Industrial Endpoint Security
* Industrial Endpoint Security
Weitere Informationen
* Industrial Network Security
* Industrial Network Security
Industrial Network Security
* XDR für OT
* XDR für OT
Stoppen Sie Angriffe schneller. Nutzen Sie eine breitere Perspektive
und besseren Kontext, um Bedrohungen auf einer einzigen Plattform zu
jagen, zu entdecken, zu untersuchen und auf sie zu reagieren.
Weitere Informationen
* Identity Security
* Identity Security
Durchgängige Identity Security vom Identity Posture Management bis zu
Detection and Reponse
Mehr erfahren
* On-Premises Data Sovereignty
* Lokale Datenhoheit
Verhinderung, Erkennung, Reaktion und Schutz ohne Kompromisse bei der
Datenhoheit
Mehr erfahren
* Informationen
* Informationen
* Informationen
* Informationen
Mehr erfahren
* Research, Neuigkeiten und Perspektiven
* Research, Neuigkeiten und Perspektiven
Mehr erfahren
* Research und Analyse
* Research und Analyse
Mehr erfahren
* IT Security Best Practices
* IT Security Best Practices
Mehr erfahren
* Nachrichten zum Thema Sicherheit
* Nachrichten zum Thema Sicherheit
Mehr erfahren
* Zero-Day-Initiative (ZDI)
* Zero-Day-Initiative (ZDI)
Mehr erfahren
* Services
* Trend Micro Services
* Trend Micro Services
* Trend Micro Services
Mehr erfahren
* Servicepakete
* Servicepakete
Verstärken Sie Ihre Sicherheitsteams: Rund-um-die-Uhr-Service für
Managed Detection, Response und Support.
Mehr erfahren
* Managed XDR
* Managed XDR
Ergänzen Sie Ihr Team mit einem von Experten gemanagten Service für
Erkennung und Reaktion (Managed Detection and Response, MDR) für
E-Mails, Endpunkte, Server, Cloud-Workloads und Netzwerke.
Mehr erfahren
* Support Services
* Support Services
Mehr erfahren
* Reaktionen auf Vorfälle
* Reaktionen auf Vorfälle
* Reaktionen auf Vorfälle
Vertrauenswürdige Fachleute helfen Ihnen jederzeit gerne, egal ob Sie
von einem Sicherheitsvorfall betroffen sind oder Ihre IR-Pläne
proaktiv verbessern möchten.
Weitere Informationen
* Versicherungsanbieter und Anwaltskanzleien
* Versicherungsanbieter und Anwaltskanzleien
Vermeiden Sie Sicherheitsverletzungen mit einer erstklassigen Lösung
zur Erkennung und Reaktion und reduzieren Sie die Kosten Ihrer Kunden
für Ausfallzeiten und Schadensfälle.
Mehr erfahren
* Partner
* Alliance Partner
* Alliance Partner
* Alliance Partner
Trend arbeitet mit den Besten zusammen, um sie dabei zu begleiten, ihre
Leistung und ihren Wert zu optimieren
Weitere Informationen
* Technology Alliance Partner
* Technology Alliance Partner
Mehr erfahren
* Alliance Partner suchen
* Alliance Partner suchen
Weitere Informationen
* Partner suchen
* Partner suchen
Finden Sie einen örtlichen Partner, bei dem Sie Lösungen von Trend Micro
kaufen können.
Weitere Informationen
* Partnerprogramm
* Partnerprogramm
* Partnerprogramm Übersicht
Bauen Sie Ihr Business aus und schützen Sie Ihre Kunden – durch
umfassende, mehrschichtige Sicherheit für höchste Ansprüche
Weitere Informationen
* Kompetenzen der Partner
* Kompetenzen der Partner
Heben Sie sich vom Mitbewerb ab, indem Sie Ihre Kompetenz mit
entsprechenden Nachweisen belegen
Weitere Informationen
* Managed Security Service Provider
* Managed Security Service Provider
Bereitstellung moderner Sicherheitsdienstleistungen mit
branchenführendem XDR
Weitere Informationen
* Managed Service Provider
* Managed Service Provider
Arbeiten Sie mit einem führenden Experten für Cybersicherheit zusammen
und nutzen Sie bewährte Lösungen speziell für MSPs.
Weitere Informationen
* Erfolge von Partnern
* Erfolge von Partnern
Weitere Informationen
* Partnerressourcen
* Partnerressourcen
* Partnerressourcen
Entdecken Sie Ressourcen, die das Wachstum Ihres Geschäfts ankurbeln
und Ihre Möglichkeiten als Partner von Trend Micro verbessern
Weitere Informationen
* Partner werden
* Partner werden
Weitere Informationen
* Trend Campus
* Trend Campus
Lernen Sie schneller mit Trend Campus, der benutzerfreundlichen
Bildungsplattform, die personalisierte technische Unterstützung bietet
Weitere Informationen
* Co-Selling
* Co-Selling
Greifen Sie auf kollaborative Services zu, die Ihnen helfen, den Wert
von Trend Vision One™ zu demonstrieren und Ihr Business auszubauen
Weitere Informationen
* Distributoren
* Distributoren
Weitere Informationen
* Partnerportal-Anmeldung
* Partnerportal-Anmeldung
Anmelden
* Unternehmen
* Warum Trend Micro?
* Warum Trend Micro?
* Warum Trend Micro?
Weitere Informationen
* C5-Testat
* C5-Testat
Weitere Informationen
* Kundenreferenzen
* Kundenreferenzen
Mehr erfahren
* Branchenauszeichnungen
* Branchenauszeichnungen
Mehr erfahren
* Strategische Partnerschaften
* Strategische Partnerschaften
Mehr erfahren
* Trend Micro vergleichen
* Trend Micro vergleichen
* Trend Micro vergleichen
So überflügelt Trend seine Mitbewerber
Los geht’s
* mit CrowdStrike
* Trend Micro versus CrowdStrike
CrowdStrike bietet mit seiner Cloud-nativen Plattform effektive
Cybersicherheit. Die Preise könnten jedoch zu hoch sein, vor allem für
Unternehmen, die eine kosteneffiziente Skalierbarkeit über eine einzige
Plattform anstreben.
Los geht’s
* mit Microsoft
* Trend Micro versus Microsoft
Microsoft bietet einen grundlegenden Schutz, benötigt jedoch oft
zusätzliche Lösungen, um die Sicherheitsprobleme der Kunden vollständig
zu lösen.
Los geht’s
* mit Palo Alto Networks
* Trend Micro versus Palo Alto Networks
Palo Alto Networks bietet fortschrittliche Cybersicherheitslösungen.
Die Navigation in der umfangreichen Suite kann jedoch komplex sein, und
die Freischaltung aller Funktionen erfordert erhebliche Investitionen.
Los geht’s
* Info
* Info
* Info
Mehr erfahren
* Impressum
* Impressum
Mehr erfahren
* Trust Center
* Trust Center
Mehr erfahren
* Geschichte
* Geschichte
Mehr erfahren
* Diversität, Fairness und Inklusion
* Diversität, Fairness und Inklusion
Mehr erfahren
* Soziale Unternehmensverantwortung
* Soziale Unternehmensverantwortung
Mehr erfahren
* Management
* Management
Mehr erfahren
* Sicherheitsexperten
* Sicherheitsexperten
Mehr erfahren
* Weiterbildungsangebote in den Bereichen Internetsicherheit und
Cybersicherheit
* Weiterbildungsangebote in den Bereichen Internetsicherheit und
Cybersicherheit
Mehr erfahren
* Rechtliche Hinweise
* Rechtliche Hinweise
Mehr erfahren
* Formel-E-Rennen
* Formel-E-Rennen
Weitere Informationen
* Kontakt aufnehmen
* Kontakt aufnehmen
* Kontakt aufnehmen
Mehr erfahren
* Newsroom
* Newsroom
Mehr erfahren
* Veranstaltungen
* Veranstaltungen
Mehr erfahren
* Karriere
* Karriere
Mehr erfahren
* Webinare
* Webinare
Mehr erfahren
Back
Back
Back
Back
* Kostenlose Testversionen
* Kontakt
Sie suchen nach Lösungen für zu Hause?
Sie werden angegriffen?
0 Warnungen
Back
Ungelesen
Alles
Folio (0)
Support
* Support-Portal für Unternehmen
* Weiterbildung und Zertifizierung
* Kontakt mit dem Support
* Supportpartner finden
Ressourcen
* KI-Sicherheit
* Trend Micro versus Mitbewerb
* Cyber Risk Index/Assessment
* Was ist ...?
* Enzyklopädie der Bedrohungen
* Cyber-Versicherung
* Glossar der Begriffe
* Webinare
Anmelden
* Vision One
* Support
* Partnerportal
* Cloud One
* Produktaktivierung und -management
* Referenzpartner
Back
arrow_back
search
close
Content has been added to your Folio
Go to Folio (0) close
APT und gezielte Angriffe
GAME OF EMPEROR: UNVEILING LONG TERM EARTH ESTRIES CYBER INTRUSIONS
Since 2023, APT group Earth Estries has aggressively targeted key industries
globally with sophisticated techniques and new backdoors, like GHOSTSPIDER and
MASOL RAT, for prolonged espionage operations.
By: Leon M Chang, Theo Chen, Lenart Bermejo, Ted Lee November 25, 2024 Read
time: 14 min (3744 words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
SUMMARY
*
* Earth Estries, a Chinese APT group, has primarily targeted critical sectors
like telecommunications and government entities across the US, Asia-Pacific,
Middle East, and South Africa since 2023.
* The group employs advanced attack techniques and multiple backdoors, such as
GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, affecting several Southeast Asian
telecommunications companies and government entities.
* Earth Estries exploits public-facing server vulnerabilities to establish
initial access and uses living-off-the-land binaries for lateral movement
within networks to deploy malware and conduct long-term espionage.
* The group has compromised over 20 organizations, targeting various sectors
including telecommunications, technology, consulting, chemical, and
transportation industries, as well as government agencies and NGOs in
numerous countries.
* Earth Estries uses a complex C&C infrastructure managed by different teams,
and their operations often overlap with TTPs of other known Chinese APT
groups, indicating possible use of shared tools from malware-as-a-service
providers.
Since 2023, Earth Estries (aka Salt Typhoon, FamousSparrow, GhostEmperor and
UNC2286) has emerged as one of the most aggressive Chinese advanced persistent
threat (APT) groups, primarily targeting critical industries such as
telecommunications and government entities in the US, the Asia-Pacific region,
the Middle East, and South Africa. In this blog entry, we will highlight their
evolving attack techniques and analyze the motivation behind their operations,
providing insights into their long-term targeted attacks.
A key finding from our recent investigation is the discovery of a new backdoor,
GHOSTSPIDER, identified during attacks on Southeast Asian telecommunications
companies. We will explore the technical details of GHOSTSPIDER, its impact
across multiple countries, and interesting findings when we were tracking its
command-and-control (C&C) infrastructure. We have also uncovered the group’s use
of the modular backdoor SNAPPYBEE (aka Deed RAT), another tool shared among
Chinese APT groups.
Furthermore, we discovered that Earth Estries uses another cross-platform
backdoor, which we initially identified during our investigation of Southeast
Asian government incidents in 2020. We named it MASOL RAT based on its PDB
string. We couldn’t link MASOL RAT to any known threat group at the time due to
limited information. However, this year we observed that Earth Estries has been
deploying MASOL RAT on Linux devices targeting Southeast Asian government
networks. More details about MASOL RAT will be provided in this blog entry.
Recently, we also noticed that Microsoft has tracked the APT groups
FamousSparrow and GhostEmperor under the name Salt Typhoon. However, we don’t
have sufficient evidence that Earth Estries is related to the recent news of a
recent Salt Typhoon cyberattack, as we have not seen a more detailed report on
Salt Typhoon. Currently, we can only confirm that some of Earth Estries’
tactics, techniques, and procedures (TTPs) overlap with that of FamousSparrow
and GhostEmperor.
MOTIVATION
We have observed that Earth Esties has been conducting prolonged attacks
targeting governments and internet service providers since 2020. In mid-2022, we
noticed that the attackers also started targeting service providers for
governments and telecommunications companies. For example, we found that in
2023, the attackers had also targeted consulting firms and NGOs that work with
the U.S. federal government and military. The attackers use this approach to
gather intelligence more efficiently and to attack their primary targets more
quickly.
Notably, we observed that attackers targeted not only critical services (like
database servers and cloud servers) used by the telecommunications company, but
also their vendor network. We found that they implanted the DEMODEX rootkit on
vendor machines. This vendor is a primary contractor for the region’s main
telecommunications provider, and we believe that attackers use this approach to
facilitate access to more targets.
VICTIMOLOGY
We found that Earth Estries successfully compromised more than 20 organizations
in areas that include the telecommunications, technology, consulting, chemical,
and transportation industries, government agencies, and non-profit organizations
(NGOs). Victims also came from numerous countries, including:
* Afghanistan
* Brazil
* Eswatini
* India
* Indonesia
* Malaysia
* Pakistan
* The Philippines
* South Africa
* Taiwan
* Thailand
* US
* Vietnam
Figure 1. Victimology map of Earth Estries
download
INITIAL ACCESS
Earth Estries is aggressively targeting the public-facing servers of victims. We
have observed them exploiting server-based N-day vulnerabilities, including the
following:
Vulnerability Description Ivanti Connect Secure VPN Exploitation
(CVE-2023-46805 and CVE-2024-21887) A chain of exploits to bypass
authentication, craft malicious requests, and execute arbitrary commands with
elevated privileges. CVE-2023-48788 Fortinet FortiClient EMS SQL
Injection Vulnerability CVE-2022-3236 A code injection vulnerability in
the User Portal and Webadmin of Sophos Firewall allows for remote code
execution. ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and
CVE-2021-27065) A set of four chained vulnerabilities that perform remote
code execution (RCE) in Microsoft Exchange servers.
Table 1. The list of vulnerabilities exploited by Earth Estries
After gaining control of the vulnerable server, we observed that the attackers
leveraged living-off-the-land binaries (LOLBINs) like WMIC.exe and PSEXEC.exe
for lateral movement, and deployed customized malware such as SNAPPYBEE,
DEMODEX, and GHOSTSPIDER to conduct long-term espionage activities against their
targets.
CAMPAIGN OVERVIEW
Our analysis suggests that Earth Estries is a well-organized group with a clear
division of labor. Based on observations from multiple campaigns, we speculate
that attacks targeting different regions and industries are launched by
different actors. Additionally, the C&C infrastructure used by various backdoors
seems to be managed by different infrastructure teams, further highlighting the
complexity of the group's operations.
CAMPAIGN ALPHA
Figure 2. Campaign Alpha overview
download
In the attacks we observed last October targeting the Taiwanese government and a
chemical company, we found that the attackers downloaded malicious tools from
their C&C server (23.81.41[.]166). While investigating the download site
(23.81.41[.]166), we found more interesting samples on the C&C server which had
an open directory on port 80.
Figure 3. The C&C with open directory vulnerability
download
The notable samples are listed in Table 2 below, based on our monitoring from
October 2023 to April 2024.
File Description sql.toml frpc config (C&C server:
165.154.227[.]192) onedrived.zip Contains the PowerShell script
ondrived.ps1. Nsc.exe The first SNAPPYBEE sample set
(SNAPPYBEE C&C domain: api.solveblemten[.]com) 123.zip/WINMM.dll
NortonLog.txt 0202/* Another SNAPPYBEE sample set (imfsbSvc.exe,
imfsbDll.dll, DgApi.dll, and dbindex.dat).
(SNAPPYBEE C&C domain: esh.hoovernamosong[.]com) Others Open-source
hacktools like frpc, NeoReGeorg tunnel, and fscan.
Table 2. Notable samples
Here is a summary of notable findings:
* The frpc C&C 165.154.227[.]192 could be linked to an SSL certificate (SHA256:
2b5e7b17fc6e684ff026df3241af4a651fc2b55ca62f8f1f7e34ac8303db9a31) previously
used by ShadowPad, which is another shared tool among several Chinese APT
groups. In addition, the C&C IP address was also mentioned in a Fortinet
report and indicators of compromise related to the Ivanti exploit.
* We observed the TTPs used by onedrived.ps1 are similar to those
of GhostEmperor’s first-stage PowerShell dropper. The only difference is that
the strings are encoded using base64 algorithm in this new variant.
* Based on our analysis, although the two sets of samples used different DLL
hijacking combinations and decoding algorithms to decrypt the payload, we
found that the backdoor characteristics matched those of the previous
SNAPPYBEE. (We identified that the decrypted shellcode module header
signature is 0xDEED4554 and the Main/Root module ID is still 0x20, can be
seen in Figure 4).
Figure 4. The analysis screenshot of SNAPPYBEE
download
DEMODEX ROOTKIT INFECTION CHAIN
Figure 5. The infection chain of DEMODEX rootkit
download
There are two requirements to analyze the DEMODEX rootkit:
1. The first-stage PowerShell script requires a decryption key as an argument.
2. The second-stage service loader uses the computer name as the AES decryption
key.
Based on our telemetry, we discovered that the attacker used PSEXEC.exe to
execute the following commands to install the DEMODEX rootkit:
> Powershell.exe -ex bypass c:\windows\assembly\onedrived.ps1
> password@123
Notably, we discovered that all components related to the DEMODEX rootkit use
control flow flattening techniques to increase the difficulty of analysis
(Figure 6).
Figure 6. DEMODEX Anti-analysis techniques (control flow flattening)
download
Figure 7. Core-implant malware configuration (C&C: 103.91.64[.]214)
download
C&C INFRASTRUCTURE ACTIVITIES
While tracking the C&C infrastructure of the aforementioned backdoor, we found
the following notable findings:
1. We found that one of the SNAPPYBEE C&C domains, api.solveblemten[.]com, has
WHOIS registration information that overlaps with some indicators of
compromise (IOCs) mentioned in Mandiant's UNC4841 report. Based on our
research, we believe that these related C&C domains were likely registered
by the same provider and shared them in different operations. However, we
don't have sufficient evidence to consider UNC4841 as one of the subgroups
related to Earth Estries.
2. Another SNAPPYBEE C&C domain (esh.hoovernamosong[.]com) resolved to a C&C IP
address (158.247.222[.]165), which could be linked to a SoftEther domain
(vpn114240349.softether[.]net). Therefore, we believe the threat actor also
used SoftEther VPN to establish their operational networks, making it more
difficult to track their activities.
3. Notably, we discovered and downloaded victim data from the SNAPPYBEE C&C
(158.247.222[.]165) with an open directory on 8000 port this February. Based
on our analysis, we believe the victim data was exfiltrated from a US NGO.
Most of the victim data is composed of financial, human resources, and
business-related documents. It's worth noting that the attacker also
collected data related to multiple military units and federal government
entities.
POST-EXPLOITATION FINDINGS
In this campaign, we observed that the attackers primarily used the following
LOLbin tools to gather endpoint information and perform lateral movement to gain
access to more compromised machines.
Tools Description frpc related
* WMIC.exe /node:<REDATED> /user:<REDATED> /password:<REDATED> process call
create "cmd.exe /c expand c:/windows/debug/1.zip
c:/windows/debug/notepadup.exe
* cmd.exe /c ping 165.154.227.192 -n 1 > c:\Windows\debug\info.
* cmd.exe /c c:/windows/debug/win32up.exe -c c:/windows/debug/sql.toml
* cmd.exe /c wevtutil qe security /format:text
/q:\"Event[System[(EventID=4624)]\" > c:\windows\debug\info.log
ps.exe (PSEXEC.exe)
* C:\Windows\assembly\ps.exe /accepteula \\<REDATED> -u <REDATED> -p <REDATED>
-s cmd /c c:\Windows\assembly\1.bat
* WMIC.exe /node:<REDATED> /user:<REDATED> /password:<REDATED> process call
create "cmd.exe /c c:\Windows\debug\1.bat""
Table 3. LOLbin tools used to gather endpoint information and perform lateral
movement
CAMPAIGN BETA
Figure 8. Campaign Beta overview
download
In this section, we will introduce Earth Estries’ long-term attacks on
telecommunications companies and government entities. According to our research,
most of the victims have been compromised for several years. We believe that in
the early stages, the attackers successfully obtained credentials and control
target machines through web vulnerabilities and the Microsoft Exchange
ProxyLogon exploit chain. We observed that for these long-term targets, the
attackers primarily used the DEMODEX rootkit to remain hidden within the
victims' networks. Notably, in a recent investigation into attacks on
telecommunications companies in Southeast Asia, we discovered a previously
undisclosed backdoor; we have named it GHOSTSPIDER.
GHOSTSPIDER’S TECHNIQUE ANALYSIS
GHOSTSPIDER is a sophisticated multi-modular backdoor designed with several
layers to load different modules based on specific purposes. This backdoor
communicates with its C&C server using a custom protocol protected by Transport
Layer Security (TLS), ensuring secure communication.
Figure 9. The GHOSTSPIDER infection flow
download
Initial infection and stager deployment
Based on our telemetry, we observed that the threat actor installs the
first-stage stager via regsvr32.exe, which is used to install a DLL (with export
names such as core.dll or spider.dll) as a service. The stager is designed to
check for a specific hostname hard-coded in the DLL, ensuring that it only runs
on the targeted machine. Once the stager is executed, it connects to the
stager's C&C server to register a new connection and subsequently receives a
module (DLL export name: login.dll) to load and execute in memory. This login
module collects basic information about the infected endpoint and sends it back
to the stager's C&C server. After this initial phase, the stager enters a
polling mode, waiting for the threat actor's next payload.
Beacon loader deployment
On the infected endpoint, the threat actor deploys a legitimate executable file
alongside a malicious DLL file for DLL search order hijacking. This malicious
DLL, another GHOSTSPIDER module known as the beacon loader (DLL export name:
loader.dll), is used to launch the beacon payload in memory. A scheduled task is
created to launch the executable. The beacon loader contains an encrypted .NET
DLL payload (DLL export name: client.dll), which is decrypted and executed in
memory.
Communication protocol
The communication requests that are used by the GHOSTSPIDER stager follow a
common format. A connection ID is placed in the HTTP header's cookie as
“phpsessid”. The connection ID is calculated using CRC32 or CRC64 with UUID4
values. Figure 10 shows an example of a stager's first request to the C&C
server.
Figure 10. Example of a stager's first request to the C&C server
download
Here is an example of a decrypted response:
=|did=96A52F5C1F2C2C67|wid=13CF3E8E0E5580EB|act=2|tt=41003562|<f
The data is separated by “|” with the following items:
*
* An unknown prefix
*
* did: the connection ID calculated from the infected machine
*
* wid: the remote ID for a specific connection
*
* act: an action code
*
* tt: tick count
*
* An unknown suffix
Beacon communication and command codes
Like the stager, the GHOSTSPIDER beacon uses an almost identical format to
communicate with the beacon C&C server to receive command codes.
Table 4 outlines the command codes supported by the GHOSTSPIDER beacon.
Code Action Description 1 upload Load and invoke delegate from
received buffer, with 3 methods from delegate: Open / Close / Write 2
create Call the Open method from the loaded delegate 3 normal
Call the Write method from the loaded delegate 4 close Unload and
remove the delegate 5 update Update interval value (idle time)
6 Heartbeat Heartbeat, no action.
Table 4. Command codes supported by the GHOSTSPIDER beacon
The GHOSTSPIDER beacon is segmented into distinct delegates, each tailored to
specific functions. These modules are retrieved from the C&C server and are
reflectively loaded into memory as dictated by specific command codes.
This modular design significantly enhances the backdoor's flexibility and
adaptability, as individual components can be deployed or updated independently
based on the attacker’s evolving needs. Additionally, it complicates detection
and analysis, as analysts are forced to piece together a fragmented view of the
malware’s full functionality. By isolating different capabilities across
separate modules, GHOSTSPIDER not only reduces its footprint, but also makes it
challenging to construct a comprehensive understanding of its operation and
overall objectives.
THE NEW DEMODEX INFECTION FLOW
This year, we observed that the attackers used another variant of DEMODEX. In
this new installation flow, the attackers no longer use a first-stage PowerShell
script to deploy the additional needed payload. Instead, the required registry
data (the encrypted configuration and the shellcode payload) for installation
are bundled in a CAB file. The CAB bundle will be deleted after installation is
finished. This approach ensures that, even after we collected the first-stage
PowerShell script, the analysis cannot proceed due to the lack of additional
information. We found a report published by another vendor that mentions
findings consistent with our observations.
Figure 11. New DEMODEX infection flow
download
Figure 12. The DEMODEX rootkit installation flow observed in Trend Vision One™
download
ADDITIONAL C&C INFRASTRUCTURE ANALYSIS
Deploying the MASOL backdoor (aka Backdr-NQ) on a Linux server
While investigating the C&C infrastructure related to Campaign Alpha, we tracked
the associated C&C IP (103.159.133[.]251) to a Linux backdoor (name: dash_board,
SHA256: 44ea2e85ea6cffba66f5928768c1ee401f3a6d6cd2a04e0d681d695f93cc5a1f). Our
analysis confirmed that this sample is linked to the MASOL RAT, which we
identified in 2020 and observed being used to target Southeast Asian government
entities (Figure 13). Based on the backdoor's PDB string
(E:\Masol_https190228\x64\Release\Masol.pdb), we believe the backdoor may have
been developed as early as 2019. We observed the new Linux variant of MASOL in
the wild after 2021. However, we haven’t seen the Windows variant of MASOL after
2021. Currently, we have moderate to high confidence that Earth Estries uses
MASOL RAT to target Linux servers within Southeast Asian governments recent
years.
Figure 13. The extracted MASOL RAT malware configuration
download
Based on the following reasons, we currently only have low confidence that Earth
Estries has previously deployed the MASOL RAT through CVE-2022-3236:
* Since August of this year, we have observed a new campaign launched by Earth
Estries targeting Southeast Asian governments. Our Deep Discovery Inspector
(DDI) detected a compromised Linux server communicating with the MASOL RAT
C&C. During the same period, we also observed other compromised hosts within
the same organization communicating with the C&C infrastructure associated
with the sub-domain of CrowDoor backdoor. We will continue monitoring this
ongoing campaign and may provide more details after we have completed our
investigation.
* We didn’t find any C&C infrastructure that overlaps between our research
and the Sophos report. Although we only observed limited MASOL RAT IOCs in
the wild, we cannot rule out the possibility that MASOL RAT is a shared tool
among limited Chinese APT threat groups.
Additional GHOSTSPIDER C&C infrastructure
Currently, we do not have sufficient evidence to attribute the DEMODEX rootkit
and GHOSTSPIDER as a proprietary backdoor used by Earth Estries. Therefore, we
will only list the C&C infrastructure used by two campaigns discussed above in
the IOC section. However, we discovered some interesting GHOSTSPIDER C&C
infrastructure.
In the certificate used by the GHOSTSPIDER C&C 141.255.164[.]98:2096 (C&C active
timeline: August 2, 2024 to August 22, 2024), we found that one of the
certificate’s alternative names, “palloaltonetworks[.]com”, was mentioned in a
vendor report related to a Inc Ransom attack (Figure 14). Although we haven’t
observed any GHOSTSPIDER-related incidents that links it to Inc Ransom, based on
these OSINT findings, it is possible that Earth Estries may use ransomware in
their operations for espionage or for financial gain.
Figure 14. Certificate used by GHOSTSPIDER
download
ATTRIBUTION
Figure 15. Attribution overview (demonstrates a possible joint operation across
different units)
download
In our first Earth Estries blog entry, we found some TTPs that overlapped
between Earth Estries and FamousSparrow. Since then, we have found the two
campaigns that are related to the DEMODEX rootkit mentioned in GhostEmperor
report. Since we found that the attacker also used SNAPPYBEE, we suspect that
the tools used by Earth Estries might come from different malware-as-a-service
(MaaS) providers. We attribute the two campaigns to Earth Estries with high
confidence based on the following shared TTPs:
1. Campaign Alpha and Campaign Beta’s C&C domain shared the same WHOIS
registration information.
2. Both campaigns utilized the DEMODEX rootkit and GHOSTSPIDER.
3. We observed the DEMODEX, SparrowDoor, and CrowDoor used the same C&C
infrastructure in the past. Additionally, the C&C 27.102.113[.]240 was
mentioned in the FamousSparrow and GhostEmperor reports. Therefore, we
believe that Earth Estries has used DEMODEX, GHOSTSPIDER, SparrowDoor and
CrowDoor. But we’re not sure if these customized backdoors are proprietary
tools used by Earth Estries, so some of the C&C infrastructure cannot be
attributed to this threat group.
Based on our telemetry, we observed that the Campaign Alpha actors deployed
another x86 SNAPPYBEE sample set at %SYSTEMROOT%\assembly\imfsbDll.dll (SHA256:
6d64643c044fe534dbb2c1158409138fcded757e550c6f79eada15e69a7865bc) and
%SYSTEMROOT%\assembly\DgApi.dll (SHA256:
25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b) in their
operations on October 10, 2024. We detected the same hashes in two other
government entities.
We also found that one of these government entities had been compromised by
Earth Estries since 2020. Notably, SNAPPYBEE was deployed in the ZINGDOOR attack
chains on October 13, 2024. This is why we believe Earth Estries used distinct
C&C infrastructure for different targets, and that the operations might have
been launched by different teams. Some of the TTPs differ significantly, even
though the same toolset was shared.
It's worth noting that we observed the following C&C infrastructure overlapping
across multiple victim environments. First, we found DEMODEX and Cobalt Strike
beacon samples in the same infected machine. The DEMODEX C&C domain
pulseathermakf[.]com is used by operator of Campaign Beta. The Cobalt Strike
beacon C&C cloudlibraries[.]global[.]ssl[.]fastly[.]net (with the sample
downloaded from the C&C hxxp://103.159.133[.]205/lib3.cab) and the
post-exploitation activity is linked to TrillClient attack chains, which involve
the Hemigate, SparrowDoor, and CrowDoor toolsets.
Next, we found that the DEMODEX C&C domain pulseathermakf[.]com has been used to
target a Southeast Asian government agency for several years. However, on August
28, 2024, we detected a network connection to pulseathermakf[.]com from a
compromised server belonging to a Southeast Asian telecommunications company
(Campaign Beta). We speculate that the attacker may have made a mistake while
deploying the backdoor. Currently, we observe that the attacker primarily uses
the DEMODEX C&C domains www[.]infraredsen[.]com and imap[.]dateupdata[.]com to
target multiple Southeast Asian telecom companies.
During our investigation of Campaign Beta, we discovered the GHOSTSPIDER
backdoor. Subsequently, while tracking the C&C infrastructure related to
GHOSTSPIDER, we found that the attacker had also tested GHOSTSPIDER on the
Campaign Alpha open directory C&C server 23.81.41[.]166.
Figure 16. The certificate (SHA256:
b63c82fc37f0e9c586d07b96d70ff802d4b707ffb2d59146cf7d7bb922c52e7e) used by
GHOSTPSIDER (Campaign Alpha)
download
CONCLUSION
Earth Estries is one of the most aggressive Chinese APT groups, primarily
targeting critical industries such as telecommunications and government sectors.
Their notable TTPs include exploiting known vulnerabilities and using widely
available shared tools, such as SNAPPYBEE. Earth Estries conducts stealthy
attacks that start from edge devices and extend to cloud environments, making
detection challenging. They employ various methods to establish operational
networks that effectively conceal their cyber espionage activities,
demonstrating a high level of sophistication in their approach to infiltrating
and monitoring sensitive targets.
It is crucial for organizations and their security teams to remain vigilant and
proactively strengthen their cybersecurity defenses against cyberespionage
campaigns. Through technologies like Trend Vision One™, security practitioners
can visualize all organizational components from a single platform, enabling
them to monitor and track tools, behaviors, and payloads as they navigate their
organization's networks, systems, and infrastructure, while simultaneously
detecting and blocking threats as early in the attack or infection process as
possible.
TREND MICRO VISION ONE THREAT INTELLIGENCE
To stay ahead of evolving threats, Trend Micro customers can access a range of
Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat
Insights helps customers stay ahead of cyber threats before they happen and
better prepared for emerging threats. It offers comprehensive information on
threat actors, their malicious activities, and the techniques they use. By
leveraging this intelligence, customers can take proactive steps to protect
their environments, mitigate risks, and respond effectively to threats.
Trend Micro Vision One Intelligence Reports App [IOC Sweeping]
* Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Trend Micro Vision One Threat Insights App
* Threat Actors: Earth Estries
* Emerging Threats: Game of Emperor: Unveiling Long Term Earth Estries Cyber
Intrusions
HUNTING QUERIES
Trend Micro Vision One Search App
Vision One customers can use the Search App to match or hunt the malicious
indicators mentioned in this blog post with data in their environment.
Hunting DEMODEX Malware
> objectFilePath:"PsvchostDLL_X64.dll" OR
> objectFilePath:"AesedMemoryBinX64.REG" OR
> objectFilePath:"msmp4dec.dll" OR objectFilePath:"wpccfg.dll" OR
> objectFilePath:"dumpfiskfss.sys" OR
> objectFilePath:"SstpCfs.dll"
More hunting queries are available for Vision One customers with Threat Insights
Entitlement enabled.
YARA RULES
Download the YARA rules here.
INDICATORS OF COMPROMISE
Download the list of IOCs here. This IOC list was last updated on October 31,
2024, during which we observed some of IOCs were still used in the ongoing
campaigns. This is not a comprehensive list of IOCs, because most of the related
components of DEMODEX and GHOSTSPIDER have different file hashes for different
endpoints. We will release more IOCs and hunting queries on the Vision One
platform.
Tags
Aktuelle Nachrichten | APT und gezielte Angriffe | Research
AUTHORS
* Leon M Chang
Sr. Threat Researcher
* Theo Chen
Threat Researcher
* Lenart Bermejo
Threats Analyst
* Ted Lee
Threat Researcher
Contact Us
Subscribe
RELATED ARTICLES
* Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha
Spear-phishing Campaign in 2024
* AESDDoS Botnet, Containers, Exposed Docker APIs
* Der Security-RückKlick 2024 KW 47
See all articles
Überzeugen Sie sich selbst von der einheitlichen Plattform – kostenlos
* Fordern Sie die Lizenz für Ihren 30-tägigen Test an
*
*
*
*
*
RESSOURCEN
* Blog
* Newsroom
* Berichte zu Bedrohungen
* Partner suchen
*
*
SUPPORT
* Support-Portal für Unternehmen
* Kontakt
* Downloads
* Kostenlose Testversionen
*
*
ÜBER TREND
* Info
* Impressum
* Karriere bei Trend Micro
* Standorte
* Veranstaltungshinweise
* Trust Center
*
Hauptniederlassung DACH
Trend Micro - Germany (DE)
Parkring 29
85748 Garching
Deutschland
Telefon: +49 (0)89 8393 29700
Land/Region auswählen
Deutschland, Österreich, Schweiz expand_more
close
NORD-, MITTEL- UND SÜDAMERIKA
* USA
* Brasilien
* Kanada
* Mexiko
NAHER OSTEN UND AFRIKA
* Südafrika
* Naher Osten und Nordafrika
EUROPA
* Belgien (België)
* Tschechische Republik
* Dänemark
* Deutschland, Österreich, Schweiz
* Spanien
* Frankreich
* Irland
* Italien
* Niederlande
* Norwegen (Norge)
* Polen (Polska)
* Finnland (Suomi)
* Schweden (Sverige)
* Türkei (Türkiye)
* Vereinigtes Königreich
ASIEN-PAZIFIK
* Australien
* Центральная Азия (Mittelasien)
* Hongkong (Englisch)
* Hongkong (香港 (中文))
* Indien (भारत गणराज्य)
* Indonesien
* Japan (日本)
* Südkorea (대한민국)
* Malaysia
* Монголия (Mongolei) und Грузия (Georgien)
* Neuseeland
* Philippinen
* Singapur
* Taiwan (台灣)
* ประเทศไทย (Thailand)
* Vietnam
Datenschutz | Rechtliches | Sitemap
Copyright ©2024 Trend Micro Incorporated. Alle Rechte vorbehalten
Copyright ©2024 Trend Micro Incorporated. Alle Rechte vorbehalten
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
✓
Danke für das Teilen!
AddToAny
Mehr…
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
BDOW!