A Chinese state-linked hacking group, Earth Estries, targets more than 20 essential entities in high-profile attacks in Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, The Philippines, South Africa, Taiwan, Thailand, the US, and Vietnam. The target spans telecommunications, government entities, consulting firms, chemical, transportation, and non-profit organisations.

One of Earth Estries’ most alarming capabilities is its use of advanced malware tools tailored for long-term infiltration and espionage:

Ghostspider backdoor: Researchers unveiled this malware during attacks on Southeast Asian telecommunication firms. It deploys a layered strategy and uses custom protocol and Transport Layer Security (TLS) encryption to communicate with command-and-control (C&C) servers. The malware’s modular functionalities are tailored to each target, complicating forensic analysis.
Masol RAT: Researchers identified this trojan in 2020. The trojan resurfaced in recent campaigns and is now deployed on Linux devices.
Snappybee backdoor (Deed RAT): This backdoor is shared among Chinese APT groups and reflects the group’s resource-sharing capabilities. Snappybee was used in campaigns that exfiltrated sensitive data from NGOs and government agencies, including financial, military, and business records.

This is an image of earthestries targetedcountries ss1 — *Earth Estries’ victims span over 20 countries in four continents. | Source: Trend Micro*

Researchers observed that Earth Estries leverages zero-day vulnerabilities in Ivanti Connect Secure VPN (CVE-2023-46805, CVE-2024-21887), Fortinet FortiClient EMS (CVE-2023-48788), Sophos Firewall (CVE-2022-3236), Microsoft Exchange ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) to gain initial access.

Once inside, Earth Estries uses ‘living-off-the-land’ binaries (LOLBINs) such as WMIC.exe and PSEXEC.exe for lateral movement. The two malware are deployed to gather intelligence and maintain persistence.

“Our analysis suggests that Earth Estries is a well-organised group with a clear division of labour. Based on observations from multiple campaigns, we speculate that attacks targeting different regions and industries are launched by different actors. Additionally, the C&C infrastructure used by various backdoors seems to be managed by different infrastructure teams, further highlighting the complexity of the group’s operations,” researchers explained.

This is an image of earthestries taiwan campaign alpha ss1 trendmicro — *The attack chain that was employed in the Taiwan campaign. | Source: Trend Micro*

The group also uses anti-analysis techniques, such as reverse flow flattening, to thwart reverse engineering attempts.

Researchers have observed a particularly troubling trend in Earth Estries’ ability to target vendor networks, such as contractors for major telecommunication companies. By implanting malware like Demodex on vendor machines, the group gains indirect access to high-value targets.

The group’s operations are heavily intelligence-driven, focusing on accessing sensitive government and military data. The group appears to prioritise targets based on their strategic value, including NGOs, consulting firms, and service providers for governments and telecommunications companies. The group targeted Taiwan and the United States in 2023 and 2024, respectively.

A few weeks ago, reports emerged that Earth Estries employed two distinct attack sequences to infiltrate high-value targets by exploiting vulnerabilities in Microsoft Exchange Server and other network adapter management tools.

In the News: 6 Ubisoft games face compatibility issues with Windows 11 version 24H2