The U.S., India, Australia, Canada, China, Japan, Finland, South Africa, and the U.K. are home to the bulk of command-and-control (C2) servers.
A recent, ongoing cyber espionage operation targeting governments and technological firms situated in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US has been linked to a hacker group known as Earth Estries.
“The threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyber espionage and illicit activities,” researchers Ted Lee, Lenart Bermejo, Hara Hiroaki, Leon M Chang, and Gilbert Sison from Trend Micro said.
Since at least 2020, Earth Estries has been active. It is claimed that they have tactical overlaps with FamousSparrow, a nation-state organization that ESET first identified in 2021 as using Microsoft Exchange Server’s ProxyLogon flaws to infiltrate the hospitality, government, engineering, and legal sectors.
It’s important to note that connections have also been made between FamousSparrow and UNC4841, a group of unclassified activities accused of turning a newly discovered zero-day vulnerability in Barracuda Networks Email Security Gateway (ESG) equipment into a weapon.
The adversary is using Cobalt Strike to undertake post-exploitation of compromised environments, after which it proceeds fast to spread further malware and widen the foothold, according to attack chains reported by Trend Micro.
In order to increase data gathering, the adversary has been seen using a variety of hacking tools, including backdoors, browser data stealers, and port scanners.
This includes HemiGate, a backdoor that can log keystrokes, take screenshots, operate on files, and monitor processes, as well as Zingdoor, a Go-based implant that can enumerate and manage files, capture system information, and execute arbitrary commands. TrillClient is a custom stealer that can snoop data from web browsers.
The adversary’s predisposition for routinely cleaning and redeploying its backdoors on the infected host in an effort to lower the danger of exposure and discovery further supports the authenticity of its espionage intentions.
According to the researchers, “Earth Estries heavily relies on DLL side-loading to load various tools within its arsenal.” They utilize PowerShell downgrade assaults to evade detection from Windows Antimalware Scan Interface’s (AMSI) logging system in order to leave the smallest possible trace.
The misuse of open-source platforms like Github, Gmail, AnonFiles, and File.io to transport stolen data and communicate instructions is another important component of the modus operandi. The U.S., India, Australia, Canada, China, Japan, Finland, South Africa, and the U.K. are home to the bulk of command-and-control (C2) servers.
By hacking internal servers and legitimate accounts, the threat actors can move laterally within the victim’s network and carry out their harmful actions covertly, according to the researchers. “They also use techniques like PowerShell downgrade attacks and novel DLL side-loading combinations to evade detection.”