A hacking organization called Earth Estries has been attributed to a new, ongoing cyber espionage campaign targeting government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US.
Trend Micro researchers Ted Lee, Lenart Bermejo, Hara Hiroaki, Leon M. Chang and Gilbert Sison said, “The threat actors behind Earth Estries are operating with high levels of resources and sophisticated skills in cyber espionage and illicit activities.”
Active since at least 2020, Earth Estries is said to share strategic overlap with another nation-state group tracked as FamousSparrow, which was first tracked by ESET in 2021 across hospitality, government, engineering and legal sectors. The entry was exposed as exploiting the proxylogon flaw in Microsoft Exchange Server.
It is worth pointing out that parallels have also been revealed between FamousSparrow and UNC4841, a classified activity cluster attributed to the weaponization of the recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances.
The attack chains documented by Trend Micro show that the adversary is taking advantage of Cobalt Strike to exploit the compromised environment, then quickly moves to deploy additional malware and gain a foothold.
The adversary has been observed using an arsenal of backdoors and hacking tools, including backdoors, browser data stealers, and port scanners, to increase data collection.
These include Zingdor, a Go-based implant for obtaining system information, enumerating and managing files, and running arbitrary commands; TrillClient, a custom stealer written in Go to siphon data from web browsers; and Hemigate, a backdoor that can log keystrokes, take screenshots, perform file operations and monitor processes.
There is a tendency to routinely clean and redeploy their back doors on infected hosts in an effort to reduce exposure and risk of detection in order to make an opponent’s espionage purposes more legitimate.
“Earth Estries relies heavily on DLL side-loading to load the various tools in its arsenal,” the researchers said. “To leave as little footprint as possible, they use PowerShell downgrade attacks to avoid detection by the Windows Antimalware Scan Interface (AMSI) logging mechanism.”
Another important aspect of the methodology is the misuse of public services such as GitHub, Gmail, AnonFiles and File.io to exchange or transfer commands and stolen data. Most command-and-control (C2) servers are located in the U.S., India, Australia, Canada, China, Japan, Finland, South Africa, and the U.K..
“By compromising internal servers and legitimate accounts, threat actors can perform lateral movement within the victim’s network and carry out their malicious activities covertly,” the researchers said. “They also use techniques such as PowerShell downgrade attacks and novel DLL side-loading combinations to avoid detection.”
