A hacking outfit nicknamed Earth Estries has been attributed to a new, ongoing cyber espionage campaign targeting government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S.
“The threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyber espionage and illicit activities,” Trend Micro researchers Ted Lee, Lenart Bermejo, Hara Hiroaki, Leon M Chang, and Gilbert Sison said.
Active since at least 2020, Earth Estries is said to share tactical overlaps with another nation-state group tracked as FamousSparrow, which was first exposed by ESET in 2021 as exploiting ProxyLogon flaws in Microsoft Exchange Server to penetrate hospitality, government, engineering, and legal sectors.
It’s worth pointing out that commonalities have also been unearthed between FamousSparrow and UNC4841, an uncategorized activity cluster held responsible for the weaponization of a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances.
Attack chains documented by Trend Micro show that the adversary is leveraging Cobalt Strike to conduct post-exploitation of compromised environments, following which it moves quickly to deploy additional malware and broaden the foothold.
The adversary has been observed employing an arsenal of backdoors and hacking tools, including backdoors, browser data stealers, and port scanners to enhance data collection.
This encompasses PlugX; Zingdoor, a Go-based implant to capture system information, enumerate and manage files, and run arbitrary commands; TrillClient, a custom stealer written in Go to siphon data from web browsers; and HemiGate, a backdoor that can log keystrokes, take screenshots, perform file operations, and monitor processes.
Detect, Respond, Protect: ITDR and SSPM for Complete SaaS Security
Discover how Identity Threat Detection & Response (ITDR) identifies and mitigates threats with the help of SSPM. Learn how to secure your corporate SaaS applications and protect your data, even after a breach.
Further lending legitimacy to the adversary’s espionage motives is its proclivity towards regularly cleaning and redeploying its backdoors on the infected host in an attempt to reduce the risk of exposure and detection.
“Earth Estries relies heavily on DLL side-loading to load various tools within its arsenal,” the researchers said. “To leave as little footprint as possible, they use PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism.”
Another significant aspect of the modus operandi is the abuse of public services such as Github, Gmail, AnonFiles, and File.io to exchange or transfer commands and stolen data. A majority of the command-and-control (C2) servers are located in the U.S., India, Australia, Canada, China, Japan, Finland, South Africa, and the U.K.
“By compromising internal servers and valid accounts, the threat actors can perform lateral movement within the victim’s network and carry out their malicious activities covertly,” the researchers said. “They also use techniques like PowerShell downgrade attacks and novel DLL side-loading combinations to evade detection.”