Continued Unraveling of Earth Estries and Its Impact on Critical Infrastructure

Diligent tracking of Earth Estries, a Chinese advanced persistent threat (APT) group, by Trend Micro researchers further reveals the group's capabilities and operational overlap with the Salt Typhoon (also tracked as FamousSparrow, GhostEmperor, and UNC2286) threat group. Demonstrating Earth Estries' operational prowess, the threat group has been tracked to have compromised over 20 organizations across various sectors, including telecommunications, technology, government, NGOs, chemical, consulting, and critical infrastructure, targeting regions such as Asia-Pacific, the US, the Middle East, and South Africa. Emphasizing their proficiency, Trend Micro researchers note that Earth Estries operates as a "well-organized group with a clear division of labor." Adding to this, victims often experience multi-year compromises, with the attackers focusing on critical services such as database servers and vendor networks to achieve long-term espionage objectives. For attribution, Earth Estries relies on shared tools and techniques commonly associated with Chinese APT actors, particularly SNAPPYBEE (aka Deed RAT). The group's acquisition of malware may be tied to various malware-as-a-service (MaaS) providers. They also leverage a newly identified modular backdoor, GHOSTSPIDER, to execute tailored operations.

Earth Estries exploits a range of vulnerabilities, including ProxyLogon (CVE-2021-26855), Fortinet FortiClient (CVE-2023-48788), Sophos Firewall (CVE-2022-3236), and Ivanti Connect Secure VPN flaws. Exploitation of these vulnerabilities enables the threat actors to establish initial footholds. During post-exploitation, Trend Micro observed the attackers utilizing living-off-the-land binaries (LOLBINs), as indicated by the use of cmd.exe, expand.exe, WMIC.exe, and regsvr32.exe during various stages of their operations. Earth Estries queries Windows Security event logs (ID 4624) to track successful logins, and the remote admin tool PsExec is also frequently used to facilitate lateral movement. In an observed infection chain involving the DEMODEX rootkit, WMIC or PsExec is used to execute a batch script via "expand.exe" to extract a cabinet file (.cab). This process drops several files, including DLL files (likely payload loaders), Windows Registry Files (.reg) to modify system configurations, and encrypted PowerShell script files. Persistence is established through scheduled tasks and the installation of a new service.

Trend Micro’s analysis reveals Earth Estries’ use of GHOSTSPIDER, a modular backdoor that utilizes custom communication protocols, embedding unique identifiers in HTTP headers: "communication requests that are used by the GHOSTSPIDER stager follow a common format. A connection ID is placed in the HTTP header's cookie as 'phpsessid'." The backdoor’s modular design enables it to load specific components, such as data exfiltration or persistence modules, based on the attacker’s objectives. This modularity complicates detection efforts, as the payloads are dynamically updated. Additionally, Earth Estries employs MASOL RAT for cross-platform operations, targeting Linux servers in Southeast Asia, and SNAPPYBEE, a backdoor with reflective loading capabilities.

Earth Estries' campaigns demonstrate a high level of operational maturity, leveraging both advanced malware and legitimate tools to conduct long-term espionage. The group’s targeting of critical sectors reflects the geopolitical motivations behind its activities, with implications for organizations worldwide. By combining modular malware like GHOSTSPIDER with extensive C2 infrastructure, Earth Estries achieves both flexibility and stealth in its operations. The association between Earth Estries and the prominent Salt Typhoon APT group shows notable overlaps in activity. This connection is particularly concerning, given the attribution of Salt Typhoon to attacks on telecommunications companies and their description by Trend Micro as “one of the most aggressive Chinese state hacker groups.”