Earth Estries [1] [2] [3] [4] [5], a cybercriminal group active since at least 2020, has been identified as the perpetrator of a new cyberespionage campaign [2]. This group targets governments and organizations in the technology sector worldwide [1] [2], demonstrating their expertise and resourcefulness.
Description
Earth Estries has been observed stealing information from entities in various countries, including the US [4], Philippines [4], Germany [4], Taiwan [4], Malaysia [4], and South Africa [4]. They share tactics with another cyber espionage outfit called FamousSparrow [3] [4], suggesting a connection between the two groups. Earth Estries deploys custom malware using DLL sideloading, including two backdoors [3] [4], an infostealer [3] [4], and tools like Cobalt Strike [3] [4]. Additionally, they utilize three unique malware tools: Zingdoor, TrillClient [3] [5], and HemiGate [3]. Zingdoor is a new HTTP backdoor written in Go and packed using UPX [5], disguised as mpclient.dll and executed via DLL sideloading [5]. TrillClient is an information stealer packed in a CAB file, designed to steal browser data and connect to a GitHub repository for commands. HemiGate is a backdoor executed via DLL sideloading, communicating with a C&C server over port 443 and featuring keylogging capabilities.
Earth Estries employs compromised accounts with administrative privileges to infect internal servers and takes deliberate measures to minimize exposure and detection [3]. Their command and control infrastructure spans five continents, with a concentration in the US and India [3]. The exact origin of Earth Estries remains unclear [3], but ongoing investigations aim to uncover more about their activities.
Conclusion
Earth Estries poses a significant threat to targeted entities [1], engaging in cyberespionage and illicit activities [4]. It is crucial for governments and organizations in the technology sector to enhance their cybersecurity measures to mitigate the risks posed by this group. Continued research and investigation are necessary to understand the full extent of Earth Estries’ operations and develop effective countermeasures to protect against their activities in the future.
References
[1] https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html
[2] https://vulners.com/trendmicroblog/TRENDMICROBLOG:84A79A5837036BCBE23D795D5F37ECC4
[3] https://www.threatshub.org/blog/apt-attacks-from-earth-estries-hit-govt-tech-with-custom-malware/
[4] https://www.darkreading.com/attacks-breaches/-apt-attacks-from-earth-estries-hit-govt-tech-with-custom-malware
[5] https://www.threatshub.org/blog/earth-estries-targets-government-tech-for-cyberespionage/
