Threat actor Earth Estries has employed two distinct attack sequences to infiltrate high-value systems. The first exploits vulnerabilities in widely used software, such as Microsoft Exchange servers and network adapter management tools.
In their first attack chain, Earth Estries focused on exploiting QConvergeConsole GUI, a QLogic Fibre Channel Adapters management tool. By targeting this software’s vulnerabilities, Earth Estries achieved initial access, leveraging PsExec and WMI Command-Line Interface (WMIC) for lateral movement.
Cobalt Strike, Trillclient, Hemigate, and a newer backdoor called Crowdoor were deployed via CAB file packages to maintain persistence within the target environment.
Key elements of this campaign included credentials theft through Trilliclient, which enabled Earth Estries to extract sensitive information from browser caches, thereby strengthening their controls over infected systems. Additionally, the group intimately understood their target’s network, using wget commands to download documents directly from internal web-based repositories.
The second attack sequence demonstrated a different tactic, exploiting vulnerable Microsoft Exchange servers to install a web shell known as ChinaCopper. This foothold allowed Earth Estries to deploy Cobalt Strike and other tools for lateral movement, persistence, and data exfiltration.
Key backdoors in this chain included Zingdoor and SnappyBee (Deed RAT), both delivered via a command-and-control (C&C) server or downloaded through curl commands from attacker-controlled sites.
Unlike the first chain, which relied on network adapter tools, this approach centred on exploiting the Exchange server and frequently updating or replacing backdoor installations to avoid detection. Tools like PortScan helped the group map networks, while additional backdoors facilitated further penetration and document collection through RAR archiving and secure exfiltration.
Both attack chains show Earch Estries’ emphasis on persistence. The group has managed to stay undetected within compromised networks by updating tools frequently and cleaning up previous installations. This prolonged access is further supported by various custom backdoors, including the recently identified Crowdoor, which interacts with Cobalt Strike to execute tasks and evade detection.
Here are the techniques used by Earth Estries:
- Credential harvesting: Earth Estries employs Trillclient to capture credentials from browser caches. This technique facilitates further infiltration and is instrumental in extending their access across networks.
- Command-and-control channels: The threat actor uses local and remote servers as proxies, disguising C&C traffic to evade network monitoring.
- Network discovery: PortScan and other custom scripts are deployed to survey and map out target networks. This surveillance is essential for finding new entry points and ensuring their movements remain concealed within the network.
- Exfiltration and Persistence: Earth Estries archives stolen data in decrypted RAR files, using passwords to protect the files. The collected data is then exfiltrated via anonymised file-sharing platforms, adding an extra layer of security to the stolen data’s transit.
Researchers identified several backdoors used in the campaigns, each with unique capabilities and purposes:
- Crowdoor: A new variant employed in the first infection chain, Crowdoor enhances Earth Estries’s ability to reinstall and update Cobalt Strike on comprised machines.
- ChinaCopper: This web shell, used in the second chain, allows remote control over the infected Microsoft Exchange server, which serves as a base for further infiltration.
- Zingdoor and SnappyBee: These HTTP backdoors facilitate lateral movement and remain resilient through DLL sideloading, a technique used to embed malware in legitimate processes.
Additional backdoors discovered during the investigation, such as FuxosDoor and Cryptmerlin, provide further evidence of Earth Estries’ multifaceted approach to network infiltration. FuxosDoor, for instance, operates as an IIS backdoor, allowing attackers to communicate stealthily with C&C servers, while Cryptmerlin leverages DLL sideloading for prolonged control over compromised machines.
Researchers urge organisations to patch vulnerabilities in external-facing services, especially those in widely used applications like email servers and management consoles.
QConvergeConsole GUIÂ has reached end of service support and was removed from Marvell’s websites. All of their other tools remain secure.
In the News: Swiggy and Zomato under CCI scrutiny for anti-competitive practices