A Newly Identified Threat Actor Quietly Steals Information Globally
Introduction
A new report from Trend Micro has identified a previously unknown threat actor, Earth Estries, that has been stealing information from governments and technology organizations around the world since at least 2020. Earth Estries appears to have overlapping activities with another cyber espionage outfit, FamousSparrow, and targets industries globally, including the US, Philippines, Germany, Taiwan, Malaysia, and South Africa. Trend Micro’s researchers describe Earth Estries as a sophisticated group utilizing custom malware and high-level resources to carry out their cyberespionage and illicit activities.
The Toolset of Earth Estries
Earth Estries utilizes three unique malware tools: Zingdoor, TrillClient, and HemiGate. Zingdoor is an HTTP backdoor that was first developed in June 2022 and has been deployed in limited instances since then. It is written in Golang and has cross-platform capabilities. Zingdoor can gather system and Windows services information, upload or download files, and run arbitrary commands on a host machine. TrillClient, also written in Golang, is a combination installer and infostealer packaged in a Windows cabinet file. Its primary function is to collect browser credentials while evading detection by sleeping or acting on command or random intervals. Both Zingdoor and TrillClient employ custom obfuscators to hinder analysis. HemiGate, the most multifaceted tool in Earth Estries’ arsenal, is an all-in-one backdoor malware that includes features such as keylogging, capturing screenshots, running commands, and monitoring file, directory, and process activities.
Earth Estries’ Operating Methods
Researchers observed Earth Estries infecting an organization’s internal servers in April by using compromised accounts with administrative privileges. The exact method of compromising these accounts remains unknown. After gaining a foothold, Earth Estries employed Cobalt Strike to establish persistence and used server message block (SMB) and WMI command line to deploy their malware. The group’s deliberate approach is evident in its preference for DLL sideloading, a tricky method for executing malware on a host machine. To reduce the risk of exposure and detection, Earth Estries regularly cleans their existing backdoor after each operation round and deploys a new piece of malware for subsequent rounds. Overlaps have also been found between Earth Estries’ backdoor loader and FamousSparrow’s. The group’s origins remain unclear, and its command-and-control infrastructure is distributed across five continents, with the highest concentration in the US and India.
Analysis and Implications
The emergence of Earth Estries highlights the persistent threat of cyber espionage and the ever-evolving tactics employed by threat actors. The group’s use of custom malware and sophisticated techniques, alongside its extensive global reach, demonstrate the deliberate nature of its operations. By utilizing DLL sideloading, Earth Estries adds an additional layer of complexity and evades traditional security measures. Overlaps with other threat groups, such as FamousSparrow and APT41 subgroups, suggest potential connections or shared resources within the underground cybercriminal ecosystem.
In an increasingly interconnected world, the activities of groups like Earth Estries underscore the importance of robust cybersecurity measures for governments and technology organizations. Zero-day vulnerability management, network segmentation, regular patching, and comprehensive threat intelligence are essential components of a proactive defense strategy against cyber threats. Collaboration between international agencies, private sector entities, and cybersecurity researchers is also crucial in sharing threat information and developing effective countermeasures.
Conclusion
Earth Estries, a newly identified threat actor, has been conducting a global campaign of cyber espionage since at least 2020. This sophisticated group utilizes custom malware and advanced techniques, including DLL sideloading, to steal information from governments and technology organizations. The group’s wide-ranging activities and overlaps with other threat actors highlight the ongoing challenges of combating cyber threats. To defend against such attacks, organizations must invest in robust cybersecurity measures, share threat information, and develop strategies that prioritize early detection and response. The fight against cyber espionage requires a coordinated and proactive approach that extends beyond national borders.
<< photo by cottonbro studio >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Hidden in Plain Sight: The Elaborate Ruse of Russian Disinformation on New York Times
- Cybersecurity Vulnerability: Hackers Bypass Endpoint Security Through Windows Container Isolation Framework
- U. Michigan Bounces Back: Overcoming the Cyberattack and Resuming Campus Internet Access
- DOE Cyber Contest aims to bolster cybersecurity for rural utilities
- “Global APT Attacks: China, North Korea, and Iran Implicated, While Russia Targets Ukraine and EU, According to ESET Report”
- “The Rise of ‘Earth Estries’: Unveiling the Cyberespionage Threat Targeting Government and Tech Sectors”
- Examining the Implications of a Year-Long Cyber Attack: Unveiling the Utilization of Custom Malware RDStealer
- In the Shadow of the Pandemic: Unraveling the New ‘MMRat’ Android Trojan Threat
- Examining the Growing Threat: Uncovering Signs of a Malware Attack Targeting Rust Developers
- The Rising Threat: Uncovering a Sudden Surge of Malware Targeting the Public Sector
