26 November 2024

China-linked Earth Estries APT deploys new Ghostspider backdoor in Southeast Asia attacks


China-linked Earth Estries APT deploys new Ghostspider backdoor in Southeast Asia attacks

A China-linked state-sponsored threat actor known as Earth Estries has been targeting telecommunications companies in Southeast Asia with a novel backdoor called Ghostspider, according to Trend Micro.

Trend Micro describes Earth Estries (aka Salt Typhoon, FamousSparrow, GhostEmperor and UNC2286) as one of the most aggressive Chinese hacking groups, active since 2023. The group's recent operations have targeted over 20 organizations across sectors such as telecommunications, technology, consulting, chemical, and transportation industries, as well as government and non-profit organizations.

The group's latest attacks involve Ghostspider, a sophisticated backdoor implant capable of establishing secure communications with attacker-controlled servers via a custom protocol protected by Transport Layer Security (TLS). This allows it to fetch and execute additional modules for extended functionality, enabling Earth Estries to maintain persistence and conduct long-term espionage.

Additionally, the group has deployed MASOL RAT (also known as Backdr-NQ), a cross-platform backdoor targeting Linux systems within government networks in Southeast Asia.

Initial access is achieved by leveraging N-day vulnerabilities in widely used software such as Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887), Fortinet FortiClient EMS (CVE-2023-48788), Sophos Firewall (CVE-2022-3236), Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, collectively known as ProxyLogon).

After gaining access, Earth Estries uses living-off-the-land binaries and scripts to move laterally within networks, deploying a wide range of malware for reconnaissance, data theft, and persistence. The group’s arsenal includes Deed RAT (SNAPPYBEE),a suspected successor to ShadowPad; Demodex rootkit; the Crowdoor, SparrowDoor, HemiGate, TrillClient, and Zingdoor backdoors.

Earth Estries employs a complex command-and-control (C&C) infrastructure operated by distinct teams. Many of its tactics, techniques, and procedures (TTPs) overlap with those of other Chinese APT groups, indicating the potential use of shared tools from malware-as-a-service providers.

While the group primarily focuses on Southeast Asia, its targets has extended globally, including the US, the Middle East, the Asia-Pacific region, and South Africa. The US government has identified over 150 victims, with telecommunications companies particularly affected.


Back to the list

Latest Posts

Cyber Security Week in Review: December 6, 2024

Cyber Security Week in Review: December 6, 2024

In brief: Zero-day vulnerabilities in I-O data routers, Russian Turla hijacks C2 infrastructure of Pakistani hackers, and more.
6 December 2024
Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

The group has infiltrated the C2 infrastructure of the Pakistani-based actor Storm-0156, as part of the “spy-on-spy” tactics.
5 December 2024
Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

If exploited, the flaws allow attackers to alter device settings, execute arbitrary commands, and disable the firewall.
5 December 2024