A relatively unknown hacking group called Earth Estries has been identified as the source of a new and ongoing cyberespionage campaign. Trend Micro researchers have observed that the attackers are using various tactics, including backdoors, information stealers, browser data stealers, and port scanners, to enhance their intrusion methods.
In addition, researchers have discovered that some of Earth Estries’ techniques overlap with those of the FamousSparrow group.
Here are some key details about the campaign:
– Earth Estries utilizes DLL sideloading attacks and compromised accounts with administrative privileges to infect internal servers.
– They deploy a Cobalt Strike beacon to distribute more malware and carry out lateral movements.
– The infection chain involves using SMB and WMIC to spread backdoors and hacking tools within the victims’ environment.
– At the end of each round of operations, the attackers archive the collected data from PDF and DDF files and upload them to online storage repositories like AnonFiles or File[.]io.
As part of their attack chain, the threat actors delete their current backdoor after each cycle of operation and then deploy a new piece of malware in the next round of the infection process.
The campaign is predominantly targeting government and IT organizations in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S. However, some network traffic to C2 servers in Canada and the presence of toolset detections in India and Singapore suggest that these regions may also be potential targets.
The researchers have identified multiple malware being used by Earth Estries, such as Zingdoor, TrillClient, and HemiGate. Zingdoor is a new HTTP backdoor written in Go language, while TrillClient is an information stealer designed to extract browser data, heavily obfuscated for anti-analysis. HemiGate is another backdoor used by Earth Estries to communicate over port 443 and establish a connection via proxy if necessary.
To stay safe, it is crucial for organizations to track and analyze the tactics and techniques employed by Earth Estries. This can be achieved through the use of indicators of compromise (IOCs), allowing security teams and analysts to better analyze the threat using the MITRE ATT&CK framework and automate response actions.