A newly discovered, sophisticated threat group has been targeting organizations in the government and technology industries based in the U.S., as well as the Philippines, Taiwan, Malaysia, South Africa and Germany.
The espionage group, which has been active since at least 2020 and is called Earth Estries by Trend Micro researchers, has been infecting organizations’ internal servers in order to compromise administrative accounts. Then, the threat group uses a blend of Cobalt Strike deployments and the Server Message Block (SMB) and WMI Command Line to move laterally on the network and propagate backdoors and tools on other machines, exfiltrating data, logging keystrokes and other espionage activities all along the way.
“The threat actors also use multiple backdoors and hacking tools to enhance intrusion vectors,” said Trend Micro researchers Ted Lee, Lenart Bermejo, Hara Hiroaki, Leon Chang and Gilbert Sison in a Wednesday analysis. “To leave as little footprint as possible, they use PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism.”
The threat actors take extra efforts to avoid detection, including abusing various legitimate services - like Github, Gmail, AnonFiles, and File.io - for exchanging or transferring commands and stolen data. After each round of attacks, they also consistently redeploy a new piece of malware.
The threat actor has also been using an array of new tools in its attacks, including a backdoor, written in Go and heavily obfuscated through a custom obfuscator engine, called Zingdoor. The backdoor is disguised as mpclient.dll and has the capabilities to get system information and Windows service information, upload and enumerate files and run arbitrary commands. Another backdoor used by the threat group, HemiGate, has the primary function of launching a keylogger that tracks the keystrokes of victims, in addition to directory monitoring, taking screenshots of the active desktop window, monitoring processes and various other espionage-related activities. Researchers also observed an information stealer called TrillClient, which steals credentials and cookies from browsers like Google Chrome and is also heavily obfuscated.
The threat group relies heavily on DLL sideloading for Zingdoor and HemiGate, in an effort to avoid detection by security products. Researchers said the DLL sideloading attacks are typically launched against older versions of legitimate files.
“Aside from the backdoors previously mentioned, this intrusion set also utilizes commonly used remote control tools like Cobalt Strike, PlugX, or Meterpreter stagers interchangeably in various attack stages,” said researchers. “These tools come as encrypted payloads loaded by custom loader DLLs. A notable feature of the loaders used is that the decryption key is in the encrypted payload. We observed that this intrusion set utilizes the same loader file while loading a different payload in the same target environment.”
Researchers noted code and TTP similarities between Earth Estries and the FamousSparrow APT, an espionage group that was previously found exploiting the Microsoft Exchange ProxyLogon flaws in order to compromise hotels, governments, engineering companies and law firms.
“Other pieces of evidence, such as tracked IP addresses and common technical formatting themes observed in their operation, indicate strong ties that can be investigated and analyzed further,” said researchers.