Full Report
The China-linked threat actor known as Earth Estries has been observed using a previously undocumented backdoor called GHOSTSPIDER as part of its attacks targeting Southeast Asian telecommunications companies. Trend Micro, which described the hacking group as an aggressive advanced persistent threat (APT), said the intrusions also involved the use of another cross-platform backdoor dubbed
Analysis Summary
# Earth Estries Threat Campaign Targeting Telecommunications and Government Sectors
## Key Points
- The China-linked threat actor "Earth Estries" is using a previously undocumented backdoor named **GHOSTSPIDER** in its targeted attacks.
- Intrusions also involved the deployment of another cross-platform backdoor known as **MASOL RAT (aka Backdr-NQ)**, specifically observed on Linux systems belonging to Southeast Asian government networks.
- Earth Estries is characterized as an aggressive Advanced Persistent Threat (APT) group, active since at least 2020.
- The group employs a wide range of malware, including the **Demodex rootkit**, **Deed RAT (aka SNAPPYBEE)**, and information stealers like Crowdoor, SparrowDoor, HemiGate, TrillClient, and Zingdoor.
- GHOSTSPIDER is described as a sophisticated, multi-modular implant that communicates via a custom protocol protected by Transport Layer Security (TLS) and fetches additional modules dynamically.
- The group’s operations show a clear division of labor among actors and infrastructure teams, highlighting organizational complexity.
## Threat Actors
- **Attribution:** China-linked threat actor known as **Earth Estries**.
- **Aliases/Overlap:** FamousSparrow, GhostEmperor, Salt Typhoon, and UNC2286.
- **Motivation:** Cyber espionage activities, likely involving long-term monitoring and data collection.
## TTPs
- **Initial Access:** Exploitation of N-day security flaws in perimeter devices:
- Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887)
- Fortinet FortiClient EMS (CVE-2023-48788)
- Sophos Firewall (CVE-2022-3236)
- Microsoft Exchange Server (ProxyLogon: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
- **Execution/Persistence:** Deployment of custom backdoors (GHOSTSPIDER, MASOL RAT) and rootkits (Demodex).
- **Command and Control (C2):** GHOSTSPIDER uses a custom, TLS-protected protocol for C2 communication.
- **Evasion:** Attacks are stealthy, starting from edge devices and extending into cloud environments, utilizing techniques to conceal espionage activities.
## Affected Systems
- **Primary Targets:** Telecommunications companies.
- **Secondary Targets:** Government entities, technology, consulting, chemical, and transportation industries, and NGOs.
- **Geographic Scope:** Impacts identified across more than a dozen countries, including Afghanistan, India, Malaysia, Taiwan, Thailand, and Vietnam (Southeast Asian focus noted for GHOSTSPIDER).
- **Platforms:** Linux systems specifically noted for MASOL RAT deployment.
## Mitigations
- **Patching:** Immediately address known vulnerabilities that Earth Estries is actively exploiting (Ivanti, Fortinet, Sophos, Microsoft Exchange N-day flaws).
- **Detection:** Implement enhanced monitoring for anomalous outbound traffic, especially related to custom, TLS-wrapped protocols indicative of GHOSTSPIDER.
- **Network Segmentation:** Employ segmentation to prevent initial edge compromises from spreading to deeper cloud or internal environments.
## Conclusion
Earth Estries represents a mature, highly organized threat actor focusing on persistent cyber espionage against critical infrastructure, primarily telecommunications. The use of novel malware like GHOSTSPIDER and established exploitation techniques against widely used edge devices warrants immediate attention from organizations in the targeted sectors, especially in Southeast Asia and related industries globally.