In the intricate web of global cybersecurity, a cyber-espionage group, potentially tied to China, has been found to be targeting government-related organizations and technology companies across the globe. This group, known as Earth Estries, has been on the radar of cybersecurity firm Trend Micro since 2020.
While Trend Micro has not directly linked Earth Estries to any specific country, it has noted striking similarities in tactics, techniques, and procedures (TTPs) with another Advanced Persistent Threat (APT) group, FamousSparrow.
FamousSparrow (AnnoyingBird), known for its activities in 2021 targeting governments and hotels, has been linked to China-associated threat actors SparklingGoblin (Editorial note: Wasted opportunity to call this SpankingGoblin) and DRBControl (DribbleControl).
Earth Estries has made its mark on organizations in the United States, Germany, South Africa, Malaysia, the Philippines, and Taiwan. There are also indications that entities in India, Canada, and Singapore may have been targeted. It’s primary victims have been organizations operating in the government and technology sectors.
The modus operandi of the attackers involves compromising admin accounts after infiltrating the internal servers of the targeted organizations. They then employ lateral movement, deploying backdoors and other tools, before gathering and exfiltrating valuable data. The group’s arsenal of malware includes the HemiGate and Zingdoor backdoors, and the TrillClient information stealer.
Earth Estries’ command and control (C&C) infrastructure leans heavily on the Fastly CDN service, which has previously been exploited by threat actors associated with the Chinese group APT41. Further analysis revealed C&C servers hosted on virtual private server (VPS) services in a range of countries, including the US, India, Canada, the UK, Finland, Germany, Macedonia, China, South Korea, Japan, South Africa, and Australia.
Trend Micro’s analysis suggests that they believe that the threat actors behind Earth Estries are well-resourced, demonstrating sophisticated skills and extensive experience in cyberespionage and illicit activities. The group uses multiple backdoors and hacking tools to bolster their intrusion vectors.
In an effort to minimize their digital footprint, the group employs PowerShell downgrade attacks to evade detection from Windows Anti-malware Scan Interface’s (AMSI) logging mechanism. They also exploit public services such as Github, Gmail, AnonFiles, and File.io to exchange commands and transfer stolen data.
This revelation adds another layer to the ongoing narrative of cyber-espionage, reinforcing the need for robust cybersecurity measures across all sectors.