Thought Leadership
Since 2023, Earth Estries has evolved into one of the most aggressive Chinese advanced persistent threat (APT) groups, primarily targeting critical industries such as telecommunications companies and government agencies in the US, Asia-Pacific, the Middle East and South Africa.
Our recent investigation into the attacks and the group has led to the discovery of a new backdoor, GHOSTSPIDER, used in attacks on Southeast Asian telecommunications companies as one of the important findings. The group was also found to be using the modular backdoor SNAPPYBEE (also known as Deed RAT), another tool shared among Chinese APT groups.
Earth Estries also uses another cross-platform backdoor that we previously identified while investigating incidents in Southeast Asian governments in 2020 and named MASOL RAT due to its PDB string. At that time, there was limited information, so MASOL RAT was not associated with any known threat group. Now, however, we observed Earth Estries deploying MASOL RAT on Linux devices targeting Southeast Asian government networks.
Recently, we noted that Microsoft has been investigating the APT groups FamousSparrow and GhostEmperor under the name Salt Typhoon. However, we do not have sufficient evidence to link Earth Estries to the recent news ofa Salt Typhoon cyberattack, as we have not seen a more detailed report on Salt Typhoon. At this time, we can only confirm that some of Earth Estries’ tactics, techniques and procedures (TTPs) overlap with those of FamousSparrow and GhostEmperor.
Motivation
Since 2020, Earth Estries has carried out persistent attacks on governments and internet service providers. In mid-2022, the attackers also began targeting service providers for governments and telecommunications companies, such as consulting firms and NGOs working with the US federal government and the military in 2023. In this way, the criminals want to gather information more efficiently and attack their main targets more quickly.
In particular, the attackers are not only targeting critical services (such as database and cloud servers) of the telecommunications company, but also its supplier network. For example, we discovered that they had installed the DEMODEX rootkit on the suppliers’ computers. This supplier is a main contractor for the main telecommunications provider in the region, and we think the goal was to facilitate access to other targets.
The APT group successfully compromised more than 20 organizations in sectors such as telecommunications, technology, consulting, chemicals and transportation, government agencies and non-profit organizations (NGOs). The victims came from numerous countries.
First access
Earth Estries aggressively targets victims’ publicly accessible servers and exploits N-Day vulnerabilities. After gaining control of the vulnerable server, the attackers use living-off-the-land binaries (LOLBINs) such as WMIC.exe and PSEXEC.exe for lateral movement and customized malware such as SNAPPYBEE, DEMODEX and GHOSTSPIDER to conduct long-term espionage activities against their targets.
Overview of the campaigns
Our analysis suggests that Earth Estries is a well-organized group with a clear division of labor. Based on observations from several campaigns, we suspect that attacks targeting different regions and industries are launched by different actors. In addition, the C&C infrastructure used by different backdoors appears to be managed by different infrastructure teams, further emphasizing the complexity of the group’s operations.
(pd/Trend Micro)
