Earth Estries, a Chinese APT group, has been actively targeting critical sectors like telecommunications and government entities since 2023.
They employ advanced techniques, including exploiting vulnerabilities, lateral movement, and deploying multiple backdoors like GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, which have impacted Southeast Asia significantly.
The group makes use of a sophisticated command and control infrastructure and collaborates with other Chinese advanced persistent threats (APT) groups to share tools.
While some overlaps exist with FamousSparrow, GhostEmperor, and Salt Typhoon, definitive links remain unclear. Earth Estries’ persistent and sophisticated operations pose a serious threat to global cybersecurity.
Earth Estries, a highly sophisticated threat actor, has compromised over twenty organizations spanning a wide range of industries and geographical locations.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
They exploit N-day vulnerabilities in public-facing servers, such as Ivanti Connect Secure VPN, Fortinet FortiClient EMS, Sophos Firewall, and Microsoft Exchange.
Post-compromise, they employ living-off-the-land binaries for lateral movement and deploy custom malware like SNAPPYBEE, DEMODEX, and GHOSTSPIDER to conduct persistent espionage operations.
The group’s well-structured operations, with specialized teams for different attack phases and regions, indicate a high level of sophistication and resourcefulness.
An investigation into targeted attacks in October 2023 revealed a C&C server (23.81.41.166) with an open directory vulnerability, which hosted malicious tools including frpc (linked to a ShadowPad SSL certificate), PowerShell scripts (similar to GhostEmperor’s dropper), and SNAPPYBEE samples (identified by a specific shellcode signature).
The attackers used these tools along with the DEMODEX rootkit to compromise systems, which involved a first-stage PowerShell script requiring a decryption key and a second-stage service loader using the computer name as the key.
Both components employed control flow flattening for obfuscation.
Researchers at Trend Micro analyzed the C&C infrastructure of a backdoor named SNAPPYBEE and found connections to UNC4841 but lacked evidence to definitively link them.
The attackers used SoftEther VPN to mask their activity, as victim data, including financial documents and government information, was exfiltrated from a US NGO, while LOLbin tools were used for lateral movement.
In a separate campaign, GHOSTSPIDER, a sophisticated multi-modular backdoor, was discovered, which uses a custom TLS-protected protocol and various modules for different functionalities.
The communication format involves a connection ID, action codes, and data separated by pipes, where GHOSTSPIDER’s modularity makes it flexible and difficult to analyze.
The Earth Estries APT group has changed their DEMODEX rootkit installation method, as now they use a CAB file containing encrypted configuration and a shellcode payload instead of a first-stage PowerShell script, which makes analysis more difficult because the additional information is deleted after installation.
It uses MASOL RAT to target Linux servers in Southeast Asia by leveraging various backdoors, including DEMODEX, GHOSTSPIDER, SparrowDoor, and CrowDoor, but the attribution of some backdoors is uncertain due to shared C&C infrastructure.
SNAPPYBEE and Cobalt Strike are also utilized by the group in their attacks, and the TTPs of the group indicate that operations may be carried out by diverse groups.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.
