Earth Estries, a cyber threat group associated with China, has been observed deploying a newly identified backdoor, GHOSTSPIDER, in its targeted attacks against Southeast Asian telecommunications firms. According to Trend Micro, this advanced persistent threat (APT) group is employing sophisticated strategies to penetrate multiple industries.

Targeted Sectors and Geographical Spread

Earth Estries has successfully infiltrated over 20 organizations spanning a variety of sectors, including telecommunications, technology, consulting, chemical, and transportation industries, as well as government bodies and NGOs. - The campaign’s victims stretch across more than a dozen countries, such as Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the U.S., and Vietnam.

Technical Analysis

GHOSTSPIDER, alongside another backdoor MASOL RAT (also known as Backdr-NQ) for Linux, are central to the group's malicious activities. - The threat actor is known for using a range of other tools, including the Demodex rootkit and Deed RAT, suspected to be an evolution of the notorious ShadowPad malware. - Other malware in their arsenal includes Crowdoor, SparrowDoor, HemiGate, TrillClient, and Zingdoor.

Exploitation Techniques

Initial access to target networks is gained through vulnerabilities in widely used software such as Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887), Fortinet FortiClient EMS (CVE-2023-48788), Sophos Firewall (CVE-2022-3236), and Microsoft Exchange Server (CVE-2021 suite, known as ProxyLogon). - The deployment of custom malware such as GHOSTSPIDER facilitates comprehensive cyber espionage activities.

Group Dynamics and Complexity

Trend Micro researchers emphasize Earth Estries' organizational complexity, noting distinct teams handling different aspects of their operations. - Different backdoors operate under discrete command-and-control infrastructures, suggesting specialized divisions within the group.

Sophistication and Evasion Tactics

GHOSTSPIDER utilizes a custom protocol protected by TLS, capable of downloading additional modules to enhance its espionage capabilities. - The group conducts elusive attacks starting from edge devices and extending to cloud environments, complicating detection efforts. - Earth Estries integrates various techniques to obscure their operations, showcasing advanced strategic sophistication.

Earth Estries is part of a broader pattern of Chinese cyber activities that have evolved from isolated incidents to sustained surveillance of Managed Service Providers (MSPs), Internet Service Providers (ISPs), and platform providers. As noted by cybersecurity firm CrowdStrike, the scale and persistence of these attacks reflect the growing maturity of China's cyber initiatives.

The link has been copied!