New research from Trend Micro reveals that the Chinese APT group Earth Estries has focused on critical sectors, including telecommunications and government entities, across the US, Asia-Pacific, Middle East, and South Africa since 2023. The group utilizes sophisticated attack techniques and multiple backdoors, such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, impacting several Southeast Asian telecommunications companies and government organizations.
“Since 2023, Earth Estries (aka Salt Typhoon, FamousSparrow, GhostEmperor, and UNC2286) has emerged as one of the most aggressive Chinese advanced persistent threat (APT) groups, primarily targeting critical industries such as telecommunications and government entities in the US, the Asia-Pacific region, the Middle East, and South Africa,” Trend Micro researchers wrote in a Monday blog post.
The data revealed that Earth Estries had compromised over 20 organizations across various sectors, including the telecommunications, technology, consulting, chemical, and transportation industries, government agencies, and non-profit organizations (NGOs). Victims also came from numerous countries, including Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the U.S., and Vietnam.
Trend Micro detailed that GHOSTSPIDER is a sophisticated multi-modular backdoor designed with several layers to load different modules based on specific purposes. This backdoor communicates with its C&C server using a custom protocol protected by Transport Layer Security (TLS), ensuring secure communication.
The Earth Estries hackers exploit vulnerabilities in public-facing servers for initial access and leverage living-off-the-land binaries for lateral movement, enabling malware deployment and long-term espionage. They also use a complex C&C infrastructure managed by different teams, and their operations often overlap with TTPs of other known Chinese APT groups, indicating possible use of shared tools from malware-as-a-service providers.
The researchers have observed that Earth Esties has been conducting prolonged attacks targeting governments and internet service providers since 2020. “In mid-2022, we noticed that the attackers also started targeting service providers for governments and telecommunications companies. For example, we found that in 2023, the attackers had also targeted consulting firms and NGOs that work with the U.S. federal government and military. The attackers use this approach to gather intelligence more efficiently and to attack their primary targets more quickly.”
Notably, they “observed that attackers targeted not only critical services (like database servers and cloud servers) used by the telecommunications company but also their vendor network. We found that they implanted the DEMODEX rootkit on vendor machines. This vendor is a primary contractor for the region’s main telecommunications provider, and we believe that attackers use this approach to facilitate access to more targets.”
Trend Micro researchers observed that Earth Estries is aggressively targeting the public-facing servers of victims. “After gaining control of the vulnerable server, we observed that the attackers leveraged living-off-the-land binaries (LOLBINs) like WMIC.exe and PSEXEC.exe for lateral movement, and deployed customized malware such as SNAPPYBEE, DEMODEX, and GHOSTSPIDER to conduct long-term espionage activities against their targets.”
The researchers observed that the attackers used another variant of DEMODEX. “In this new installation flow, the attackers no longer use a first-stage PowerShell script to deploy the additional needed payload. Instead, the required registry data (the encrypted configuration and the shellcode payload) for installation are bundled in a CAB file. The CAB bundle will be deleted after installation is finished. This approach ensures that, even after we collected the first-stage PowerShell script, the analysis cannot proceed due to the lack of additional information,” they added.
Also, based on their analysis, the researchers suggest that Earth Estries is a well-organized group with a clear division of labor. “Based on observations from multiple campaigns, we speculate that attacks targeting different regions and industries are launched by different actors. Additionally, the C&C infrastructure used by various backdoors seems to be managed by different infrastructure teams, further highlighting the complexity of the group’s operations.”
While tracking the C&C infrastructure of the backdoor, Trend Micro found that one of the SNAPPYBEE C&C domains, api[dot]solveblemten[dot]com, has WHOIS registration information that overlaps with some indicators of compromise (IOCs) mentioned in Mandiant’s UNC4841 report. “Based on our research, we believe that these related C&C domains were likely registered by the same provider and shared them in different operations. However, we don’t have sufficient evidence to consider UNC4841 as one of the subgroups related to Earth Estries.”
Another SNAPPYBEE C&C domain (esh[dot]hoovernamosong[dot]com) resolved to a C&C IP address (158.247.222[dot]165), which could be linked to a SoftEther domain (vpn114240349.softether[dot]net). Therefore, we believe the threat actor also used SoftEther VPN to establish their operational networks, making it more difficult to track their activities.
Notably, Trend Micro discovered and downloaded victim data from the SNAPPYBEE C&C (158.247.222[dot]165) with an open directory on the 8000 port this February. “Based on our analysis, we believe the victim data was exfiltrated from a US NGO. Most of the victim data is composed of financial, human resources, and business-related documents. It’s worth noting that the attacker also collected data related to multiple military units and federal government entities,” they added.
Pointing to recent Microsoft research that has tracked the APT groups FamousSparrow and GhostEmperor under the name Salt Typhoon, Trend Micro noted that “However, we don’t have sufficient evidence that Earth Estries is related to the recent news of a recent Salt Typhoon cyberattack, as we have not seen a more detailed report on Salt Typhoon. Currently, we can only confirm that some of Earth Estries’ tactics, techniques, and procedures (TTPs) overlap with that of FamousSparrow and GhostEmperor.”
As part of its post-exploitation findings, the researchers disclosed that the attackers primarily used LOLbin tools to gather endpoint information and perform lateral movement to gain access to more compromised machines.
They noted that currently, “we do not have sufficient evidence to attribute the DEMODEX rootkit and GHOSTSPIDER as a proprietary backdoor used by Earth Estries. Therefore, we will only list the C&C infrastructure used by two campaigns discussed above in the IOC section. However, we discovered some interesting GHOSTSPIDER C&C infrastructure.”
In conclusion, Trend Micro said that Earth Estries is one of the most aggressive Chinese APT groups, primarily targeting critical industries such as telecommunications and government sectors. “Their notable TTPs include exploiting known vulnerabilities and using widely available shared tools, such as SNAPPYBEE. Earth Estries conducts stealthy attacks that start from edge devices and extend to cloud environments, making detection challenging. They employ various methods to establish operational networks that effectively conceal their cyber espionage activities, demonstrating a high level of sophistication in their approach to infiltrating and monitoring sensitive targets.”
They pointed out that organizations and their security teams must remain vigilant and proactively strengthen their cybersecurity defenses against cyberespionage campaigns.