Pages

5 September 2023

Earth Estries Group Targets Government and IT Organizations


A new and ongoing cyberespionage campaign has been attributed to a lesser-known Earth Estries hacking group. Based on observations by Trend Micro, the attackers are using backdoors, information stealers, browser data stealers, and port scanners, among others, to enhance intrusion vectors.

Furthermore, researchers found that some TTPs used by Earth Estries overlapped with the FamousSparrow group.

About the campaign
  • Earth Estries uses DLL sideloading attacks and compromised accounts with administrative privileges to infect internal servers.
  • Consequently, the attackers deploy a Cobalt Strike beacon to distribute more malware and perform lateral movements.
  • The infection chain makes use of SMB and WMIC to propagate backdoors and hacking tools in the victims’ environment.
  • At the end of each round of operations, they archive the collected data from PDF and DDF files and upload them to online storage repositories AnonFiles or File[.]io.
As part of the attack chain, the threat actors delete their current backdoor after completing each cycle of operation and redeploy a new piece of malware in a new round of infection process.

Victimology
  • The campaign is actively targeting government and IT organizations in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S.
  • Researchers observed some network traffic to C2 servers in Canada and the occurrence of toolset detections in India and Singapore, making these regions potential targets of attackers.
Malware detected

Researchers noted multiple malware such as Zingdoor, TrillClient, and HemiGate used by Earth Estries. 
  • Zingdoor is a new HTTP backdoor written in Go language and supports multiple capabilities such as running arbitrary commands and exfiltrating system information and Windows service information.
  • TrillClient, an information stealer written in Go, is designed to steal browser data. It is heavily obfuscated by custom obfuscators for anti-analysis.
  • HemiGate is another backdoor used by Earth Estries to communicate over port 443 and performs a connection via proxy if required by the environment.
Stay Safe

It is essential for organizations to track and analyze the tactics and techniques used by Earth Estries to set their security preferences and protect their digital assets. This is possible through IOCs, providing security teams and analysts to better analyze the threat through the MITRE ATT&CK framework and automate response actions.

No comments:

Post a Comment