The China-linked threat actor known as Earth Estries has been observed using a previously undocumented backdoor called GHOSTSPIDER as part of its attacks targeting Southeast Asian telecommunications companies.
Trend Micro, which described the hacking group as an aggressive advanced persistent threat (APT), said the intrusions also involved the use of another cross-platform backdoor dubbed MASOL RAT (aka Backdr-NQ) on Linux systems belonging to Southeast Asian government networks.
In all, Earth Estries is estimated to have successfully compromised more than 20 entities spanning telecommunications, technology, consulting, chemical, and transportation industries, government agencies, and non-profit organization (NGO) sectors.
Victims have been identified across over a dozen countries, including Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the U.S., and Vietnam.
Earth Estries shares overlap with clusters tracked by other cybersecurity vendors under the names FamousSparrow, GhostEmperor, Salt Typhoon, and UNC2286. It’s said to be active since at least 2020, leveraging a wide range of malware families to breach telecommunications and government entities in the U.S., the Asia-Pacific region, the Middle East, and South Africa.
According to a report from The Washington Post last week, the hacking group is believed to have penetrated more than a dozen telecom companies in the U.S. alone. As many as 150 victims have been identified and notified by the U.S. government.
| The infection chain of DEMODEX rootkit |
Some of the notable tools in its malware portfolio include the Demodex rootkit and Deed RAT (aka SNAPPYBEE), a suspected successor to ShadowPad, which has been widely used by several Chinese APT groups. Also put to use by the threat actor backdoors and information stealers like Crowdoor, SparrowDoor, HemiGate, TrillClient, and Zingdoor.
Initial access to target networks is facilitated by the exploitation of N-day security flaws in Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887), Fortinet FortiClient EMS (CVE-2023-48788), Sophos Firewall (CVE-2022-3236), Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, aka ProxyLogon).
| GHOSTSPIDER infection flow |
The attacks then pave the way for the deployment of custom malware such as Deed RAT, Demodex, and GHOSTSPIDER to conduct long-term cyber espionage activities.
“Earth Estries is a well-organized group with a clear division of labor,” security researchers Leon M Chang, Theo Chen, Lenart Bermejo, and Ted Lee said. “Based on observations from multiple campaigns, we speculate that attacks targeting different regions and industries are launched by different actors.”
“Additionally, the [command-and-control] infrastructure used by various backdoors seems to be managed by different infrastructure teams, further highlighting the complexity of the group’s operations.”
A sophisticated and multi-modular implant, GHOSTSPIDER communicates with attacker-controlled infrastructure using a custom protocol protected by Transport Layer Security (TLS) and fetches additional modules that can supplement its functionality as needed.
“Earth Estries conducts stealthy attacks that start from edge devices and extend to cloud environments, making detection challenging,” Trend Micro said.
“They employ various methods to establish operational networks that effectively conceal their cyber espionage activities, demonstrating a high level of sophistication in their approach to infiltrating and monitoring sensitive targets.”
Telecommunication companies have been in the crosshairs of several China-linked threat groups such as Granite Typhoon and Liminal Panda in recent years.
Cybersecurity firm CrowdStrike told The Hacker News that the attacks highlight a significant maturation of China’s cyber program, which has shifted from from isolated attacks to bulk data collection and longer-term targeting of Managed Service Providers (MSPs), Internet Service Providers (ISPs), and platform providers.
