A Meticulous Espionage Group Circling Gov & Tech Orgs
A Meticulous Espionage Group Circling Gov & Tech Orgs
Category: Threat Actor Activity | Industries: Government, Technology |
Source: Trend Micro
A cyberespionage campaign orchestrated by a hacker group tracked as Earth Estries was unveiled, revealing their activities that date back to at least 2020. Notably, Earth Estries shares some tactics, techniques, and procedures (TTPs) with another advanced persistent threat (APT) group, FamousSparrow. Insights of this espionage campaign and threat actors are revealed in a report from Trend Micro researchers Ted Lee, Lenart Bermejo, Hara Hiroaki, Leon M Chang, and Gilbert Sison.
Earth Estries operates with significant resources, showcasing adeptness in cybercrime and cyberespionage activities. They employ multiple backdoors and hacking tools for enhanced intrusion methods. Trend Micro reports that the actors prefer to minimize their footprint as much as possible, evident from the use of "PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface's (AMSI) logging mechanism. In addition, the actors abuse public services such as Github, Gmail, AnonFiles, and File.io to exchange or transfer commands and stolen data." Earth Estries is also observed to consistently delete traces of their malware before initiating the next phase of their attack.
This ongoing campaign targets verticals in government and technology across the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US. Tools deployed by Earth Estries include Zingdoor, a new HTTP backdoor, and TrillClient, an information stealer. DLL sideloading is discovered a heavily utilized technique by the actor. Trend Micro's analysis of their DLL sideloading attacks was found to be used "against older versions of legitimate files, some even a decade old, in a bid to convert them into LOLBins." This method of attack is another attempt at a stealthy intrusion. Additional capabilities observed in Trend Micro's report include operators compromising an admin account, and deploying Cobalt Strike, PlugX, and Meterpreter stagers.