A China-linked threat actor known as Earth Estries has been spotted using a previously undocumented backdoor called GHOSTSPIDER as part of attacks on Southeast Asian telecommunications companies.
Trend Micro which described hacker group Aggressive Advanced Persistent Threat (APT), said the intrusions also involved the use of another cross-platform backdoor called MASOL RAT (aka Backdr-NQ) on Linux systems belonging to Southeast Asian government networks.
In total, Earth Estries is estimated to have successfully compromised more than 20 organizations spanning the telecommunications, technology, consulting, chemical and transportation industries, government agencies, and the non-profit organization (NGO) sector.
Victims have been identified in more than a dozen countries, including Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the United States and Vietnam.
Land of Estra shares overlap with clusters tracked by other cybersecurity vendors named FamousSparrow, GhostEmperor, Salt Typhoon, and UNC2286. It is said to have been active since at least 2020, using a wide range of malware families to hack into telecommunications and government organizations in the US, Asia-Pacific, the Middle East and South Africa.
According to A the report As The Washington Post reported last week, the hacking group is believed to have penetrated more than a dozen telecommunications companies in the US alone. About 150 victims have been identified and notified by the US government.
 |
| DEMODEX rootkit infection chain |
Some of the known tools in its malware portfolio include Demodex rootkit and Deed RAT (aka SNAPPYBEE), the supposed successor to ShadowPad, which was widely used by several Chinese APT groups. Also used by a threat actor backdoors and information stealers like Crowdoor, SparrowDoor, HemiGate, TrillClient and Zingdoor.
Initial access to target networks is facilitated by exploiting N-day vulnerabilities in Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887), Fortinet FortiClient EMS (CVE-2023-48788), Sophos Firewall (CVE- 2022- 3236), Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, aka ProxyLogon).
 |
| GHOSTSPIDER infection flow |
The attacks then pave the way for the deployment of custom malware such as Deed RAT, Demodex and GHOSTSPIDER for long-term cyber espionage.
“Earth Estries is a well-organized group with a clear division of labor,” said security researchers Leon M Chang, Theo Chen, Lennart Bermejo and Ted Lee. “Based on observations of several companies, we believe that attacks targeting different regions and industries are carried out by different actors.”
“Furthermore, the (command and control) infrastructure used by the different backdoors appears to be managed by different infrastructure groups, further highlighting the complexity of the group’s operations.”
A complex and multi-module implant, GHOSTSPIDER communicates with attacker-controlled infrastructure using a custom protocol protected by Transport Layer Security (TLS) and receives additional modules that can augment its functionality as needed.
“Earth Estries conducts stealth attacks that start at the edge and spread to cloud environments, making detection challenging,” Trend Micro said.
“They use a variety of techniques to create operational networks that effectively hide their cyber espionage activities, demonstrating a high level of sophistication in their approach to infiltrating and monitoring sensitive targets.”
Telecommunications companies are in the spotlight several China-related threat groups such as Granite typhoon and Liminal panda in recent years.
Cybersecurity firm CrowdStrike told The Hacker News that the attacks highlight the significant maturation of China’s cyber program, which has moved from isolated attacks to mass data collection and longer-term targeting of managed service providers (MSPs), internet service providers (ISPs), and platform providers.
