GhostSpider
Espionage
Earth Estries hackers exploit GhostSpider malware to backdoor telecoms globally,...
Earth Estries, a Chinese advanced persistent threat (APT) group, has aggressively targeted critical sectors worldwide. These include telecommunications and government entities across the United States, Asia-Pacific, the Middle East, and South Africa. Utilizing sophisticated techniques and backdoors such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, Earth Estries has carried out prolonged cyber espionage operations, compromising more than 20 organizations.
Key new developments uncovered by Trend Micro include the identification of the new GHOSTSPIDER backdoor, the use of MASOL RAT on Linux devices, and the discovery of complex C&C infrastructure managed by multiple teams. These findings provide valuable insights into Earth Estries' evolving tactics and motivations.
The group exploits server vulnerabilities to gain initial access and uses living-off-the-land binaries (LOLBINs) for lateral movement within networks. The attacks affect sectors like telecommunications, technology, government agencies, and NGOs across regions including Southeast Asia, Africa, and the Americas.
Their complex command-and-control (C&C) infrastructure and overlapping tactics, techniques, and procedures (TTPs) with other known APT groups indicate the possible use of malware-as-a-service (MaaS) tools.
## Introduction to Earth Estries
Since 2023, Earth Estries (also known as Salt Typhoon, FamousSparrow, GhostEmperor, and UNC2286) has emerged as one of the most aggressive Chinese APT groups. 
Their operations primarily target critical industries such as telecommunications and government sectors across various regions including the US, Asia-Pacific, the Middle East, and South Africa.
## New Backdoors: GHOSTSPIDER and MASOL RAT
The Chinese state-sponsored hacking group Salt Typhoon (also known as Earth Estries, GhostEmperor, UNC2286) has been observed utilizing a new backdoor called **GHOSTSPIDER** in attacks against telecommunication service providers. The backdoor was discovered by Trend Micro, which has been monitoring Salt Typhoon's attacks against critical infrastructure and government organizations worldwide.
Along with **GHOSTSPIDER**, we identified a modular backdoor called **SNAPPYBEE** (aka Deed RAT), which is shared among Chinese APT groups.
Another significant discovery is the cross-platform **MASOL RAT**, initially found during Southeast Asian government incidents in 2020. Recent attacks show that Earth Estries has started deploying MASOL RAT on Linux devices, significantly expanding their reach into government networks that predominantly use Linux systems for critical infrastructure. This move represents an escalation in their tactics, targeting previously unaffected platforms and enhancing their ability to maintain persistence across diverse environments.
## Motivation Behind Attacks
Earth Estries appears to target governments, internet service providers, and consulting firms to gather intelligence more efficiently, thus enabling them to infiltrate their primary targets more effectively. 
Recently, U.S. authorities confirmed that the Salt Typhoon was behind several breaches of telecommunication service providers in the U.S., including Verizon, AT&T, Lumen Technologies, and T-Mobile. In some cases, they managed to tap into the private communications of U.S. government officials and stole information related to court-authorized wiretapping requests.
Notably, they target both the core services (like database and cloud servers) of telecommunications firms and the networks of their vendors. A notable tactic is the deployment of a **DEMODEX rootkit** on vendor machines. This rootkit has been utilized to facilitate deeper access into target networks.
## Victimology and Attack Spread
Earth Estries has successfully compromised more than 20 organizations in industries such as telecommunications, technology, consulting, chemicals, and transportation, as well as government agencies and NGOs. The victims are spread across multiple countries, including Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the US, and Vietnam.
These countries and industries are being targeted due to their strategic importance in regional stability, economic influence, and technological development. By compromising government and telecommunications sectors, Earth Estries can gather valuable intelligence, disrupt communication channels, and maintain persistent surveillance over critical infrastructure. Additionally, targeting consulting firms and NGOs that work closely with government entities allows them to indirectly access sensitive data and enhance their understanding of political dynamics.
## Initial Access and Exploitation Techniques
Earth Estries aggressively targets public-facing servers by exploiting well-known vulnerabilities. Some of the vulnerabilities exploited by the group include:
- **Ivanti Connect Secure VPN (CVE-2023-46805, CVE-2024-21887):** Exploited for arbitrary command execution.
- **Fortinet FortiClient EMS (CVE-2023-48788):** SQL injection vulnerability.
- **Sophos Firewall (CVE-2022-3236):** Code injection allowing remote code execution.
- **Microsoft Exchange (ProxyLogon CVE-2021 series):** Remote code execution vulnerabilities.
After gaining access, attackers utilize LOLBINs such as **WMIC.exe** and **PSEXEC.exe** for lateral movement. Malware like **SNAPPYBEE**, **DEMODEX**, and **GHOSTSPIDER** is then deployed for long-term espionage.
## Campaign Details and Infrastructure Analysis
### Campaign Alpha and Beta
Earth Estries appears to be a well-organized group with a clear division of labor, launching attacks across various regions and industries. Two key campaigns highlighted in Trend Micro's report are **Campaign Alpha** and **Campaign Beta**.
**Campaign Alpha** involved attacks on the Taiwanese government and chemical companies, primarily aiming to steal sensitive information related to government operations and industrial processes. The attackers downloaded malicious tools from their C&C server and deployed rootkits such as DEMODEX to maintain persistence and gather intelligence.
**Campaign Beta** was a long-term espionage campaign targeting telecommunications companies and government entities across Southeast Asia. The goal was to disrupt communication channels and maintain long-term surveillance over critical infrastructure. This campaign utilized backdoors like **GHOSTSPIDER** and the **DEMODEX** rootkit for extended monitoring. These campaigns suggest that Earth Estries uses distinct infrastructure teams for different attacks, highlighting the complexity of their operations.
### GHOSTSPIDER Analysis
**GHOSTSPIDER** is a sophisticated, multi-modular backdoor designed for long-term espionage operations requiring high levels of stealth, achieved through encryption and residing solely in memory. It is loaded on the target system using DLL hijacking and registered as a service via the legitimate **regsvr32.exe** tool, while a secondary module, the beacon loader, loads encrypted payloads directly in memory.
GHOSTSPIDER communicates with its C&C server using a custom protocol protected by **Transport Layer Security (TLS)**, which makes it challenging to intercept and analyze. The backdoor executes commands received from the command and control (C2) server, concealed within HTTP headers or cookies to blend with legitimate traffic.
The backdoor supports various commands, such as uploading malicious modules into memory, creating necessary resources, executing primary functions, and maintaining periodic communication with the C&C server. This modular design gives GHOSTSPIDER significant versatility and adaptability, allowing Salt Typhoon to adjust their attack as needed depending on the victim's network and defenses.
## Command-and-Control (C&C) Infrastructure
The C&C infrastructure managed by Earth Estries involves multiple teams, each responsible for different backdoors. For example, **SNAPPYBEE** C&C domains have WHOIS information that overlaps with other known operations, suggesting shared tools or collaboration between different APT groups. This approach helps the group maintain a decentralized and flexible attack framework, making it harder for defenders to identify and counter their operations.
## Attribution and Overlapping TTPs
Some TTPs used by Earth Estries overlap with those employed by **FamousSparrow** and **GhostEmperor**. 
The use of shared tools, such as **ShadowPad** and **MASOL RAT**, suggests that Earth Estries may source its tools from malware-as-a-service providers. This highlights the likelihood of collaboration or shared resources between Chinese APT groups.
## Post-Exploitation Activities
During post-exploitation, Earth Estries uses LOLBINs and customized malware for further infiltration and to maintain persistence. This includes executing PowerShell commands to deploy rootkits like **DEMODEX** and spreading through targeted environments, often using **SoftEther VPN** to mask their C&C activities.
## What's Next
Earth Estries, also known as Salt Typhoon, continues to be one of the most aggressive Chinese APT groups, leveraging sophisticated tactics to compromise critical infrastructure. Their attacks are characterized by stealth, the use of living-off-the-land tools, and the deployment of shared backdoors, making them challenging to detect and counter. U.S. authorities have recently notified numerous victims of breaches involving Salt Typhoon, emphasizing the need for vigilance.
Organizations must strengthen their cybersecurity, focusing on practices such as multi-layered security, regular patching, and enhanced network visibility. Employing tools like **Trend Micro Vision One™** can help organizations effectively monitor and mitigate these advanced threats.
