APT Group Earth Estries Runs Espionage Campaigns Against US, Others – Source: securityboulevard.com

A newly discovered cyber-espionage threat group for at least three years has been using advanced and novel tools to steal information from governments and tech companies in half a dozen countries, including the United States.

The advanced persistent threat (APT) group, dubbed Earth Estries, is armed with “high-level resources and functioning with sophisticated skills and experience in cyberespionage and illicit activities,” wrote researchers at Trend Micro, which detected the operation earlier this year but which has been running its campaign since at least 2020.

“It targets government and technology organizations in various countries and is capable of implementing advanced techniques such as the use of multiple backdoors and hacking tools to gain access to its targets,” the researchers wrote in a report this week. “By compromising internal servers and valid accounts, the threat actors can perform lateral movement within the victim’s network and carry out their malicious activities covertly.”

Trend Micro didn’t delve into the possible origins of Earth Estries, but said some of the tools and tactics the group overlap with those of another APT group, FamousSparrow. Cybersecurity firm ESET in 2021 wrote that FamousSparrow is cyber-espionage group that has links with APT gangs SparklingGoblin and Metasploit, both of which have been tied back to China.

The Long Reach of Earth Estries

The Earth Estries campaign, which Trend Micro said it still active, has global reach, attacking government and tech entities in Germany, South Africa, Malaysia, Taiwan, and the Philippines as well as the United States, and housing command-and-control (C2) servers in at least 18 countries.

The Trend Micro researchers wrote that Earth Estries first compromises a target organization’s internal server and then, via existing accounts that come with administrative privileges and tools like Cobalt Strike, deploy more malware and move laterally through the network.

The threat actors then deploy backdoors and hacking tools in other systems and target PDF and DDF files, which are uploaded to online repositories AnonFiles or File.io. The backdoor malware is cleaned regularly after each round of the operation, with the hackers redeploying new malware in the ensuing round, all to reduce the chance of detection.

“To leave as little footprint as possible, they use PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism,” the researchers wrote. “In addition, the actors abuse public services such as Github, Gmail, AnonFiles, and File.io to exchange or transfer commands and stolen data.”

Using Novel Hacking Tools

Earth Estries is using a range of tools, from info and browser data stealers to port scanners, they wrote, adding that there also are at least three new weapons in the group’s arsenal.

One is a HTTP backdoor called Zingdoor that is written in Go, a programming language popular with threat groups because it makes their presence in compromised systems more difficult to detect. Zingdoor was developed likely last year and was first seen in April, though it’s been rarely detected in the wild and only with a few victims. The researchers suspect it’s got cross-platform capabilities and ues a custom obfuscator engine to deter analysis.

TrillClient is designed to steal browser data and also is written in Go and has a customer obfuscator. The stolen data is copied, archived, and encrypted with an XOR algorithm before being sent to the attacker’s email account.

“Another noteworthy capability of TrillClient is its ability to update its version,” the researchers wrote. “As the value of ‘version’ defined in the downloaded config is newer than the current version number, it will download the newer one from the GitHub repository and update itself.”

DLL Sideloading

HemiGate is another backdoor that executes in three instances.

“HemiGate is a backdoor used by Earth Estries. Like most of the tools used by this threat actor, this backdoor is also executed via DLL sideloading using one of the loaders that support interchangeable payloads,” they wrote.

“Earth Estries relies heavily on DLL sideloading to load various tools within its arsenal. Aside from the backdoors previously mentioned, this intrusion set also utilizes commonly used remote control tools like Cobalt Strike, PlugX, or Meterpreter stagers interchangeably in various attack stages. These tools come as encrypted payloads loaded by custom loader DLLs.”

Earth Estries puts a lot of effort into being difficult to detect and analyze, including compromising internal servers and valid accounts and using Zingdoor, which ensures it can’t easily be unpacked.

“They also use techniques like PowerShell downgrade attacks and novel DLL sideloading combinations to evade detection,” they wrote.