Summary:
Earth Estries, a Chinese APT group, has been aggressively targeting critical sectors globally since 2023, employing advanced techniques and backdoors like GHOSTSPIDER and MASOL RAT for espionage. Their operations have affected numerous organizations across various industries, indicating a sophisticated and coordinated approach to cyberattacks.
#APTGroup #CyberEspionage #GHOSTSPIDER
Earth Estries, a Chinese APT group, has been aggressively targeting critical sectors globally since 2023, employing advanced techniques and backdoors like GHOSTSPIDER and MASOL RAT for espionage. Their operations have affected numerous organizations across various industries, indicating a sophisticated and coordinated approach to cyberattacks.
#APTGroup #CyberEspionage #GHOSTSPIDER
Keypoints:
Earth Estries has targeted critical sectors including telecommunications and government entities since 2023.
The group has compromised over 20 organizations across various industries globally.
Advanced attack techniques and multiple backdoors, such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, are employed.
Initial access is often gained through exploiting public-facing server vulnerabilities.
Earth Estries uses living-off-the-land binaries for lateral movement within networks.
The group has a complex command and control infrastructure managed by different teams.
Operations often overlap with tactics of other known Chinese APT groups.
Earth Estries has been conducting prolonged attacks targeting governments and service providers since 2020.
They have targeted consulting firms and NGOs working with the U.S. federal government.
Victims include organizations from countries such as the US, India, and South Africa.
MITRE Techniques
Initial Access (T1190): Exploits public-facing server vulnerabilities to gain entry.
Lateral Movement (T1021): Uses living-off-the-land binaries like WMIC.exe and PSEXEC.exe for lateral movement.
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Data Exfiltration (T1041): Exfiltrates sensitive data from compromised networks.
Credential Dumping (T1003): Harvests credentials from compromised systems.
Persistence (T1547): Uses rootkits like DEMODEX to maintain access to compromised systems.
IoC:
[IP Address] 23.81.41[.]166
[IP Address] 165.154.227[.]192
[IP Address] 103.159.133[.]251
[Domain] api.solveblemten[.]com
[Domain] esh.hoovernamosong[.]com
[Domain] pulseathermakf[.]com
[Domain] www[.]infraredsen[.]com
[Domain] imap[.]dateupdata[.]com
[File Name] onedrived.ps1
[File Name] frpc
[File Name] sql.toml
[File Name] Nsc.exe
[File Name] WINMM.dll
[File Name] imfsbSvc.exe
[File Name] imfsbDll.dll
[File Name] DgApi.dll
[File Name] dbindex.dat
[File Name] NortonLog.txt
[File Name] 0202/*
Full Research: https://www.trendmicro.com/en_us/research/24/k/earth-estries.html