HQ/EMEAFind out how we can help your business
The lesser-known threat group Earth Estries is operating a new cyberespionage campaign targeting Government and IT organisations. Researchers revealed that hackers use infostealers, backdoors, port scanners, and browser data stealers, among malicious tools, to make their campaigns more hostile.
Recent investigations showed that some of this threat group’s tactics, techniques, and procedures resemble the FamousSparrow gang’s TTPs.
The Earth Estries group adopts a couple of tactics in its campaign.
The Earth Estries cyberespionage group utilises sideloading attacks and infected accounts with admin-level privileges to compromise internal servers.
These techniques result in deploying a Cobalt Strike beacon that distributes more malware strains and runs lateral movement. In addition, the infection process employs WMIC and SMB to propagate backdoors and hacking tools in a targeted environment.
Subsequently, the attackers sort the harvested information into PDF and DDF files and upload them to online storage repositories like File[.]io or AnonFiles. After completing each operation cycle, they also delete their current backdoor and redeploy new malware strains in a new infection process as part of their attack chain.
Recent analysis revealed that the campaign has an ongoing operation that targets government and IT entities in the United States, Taiwan, Malaysia, South Africa, Germany, and the Philippines.
Furthermore, researchers noticed some network traffic to the group’s command-and-control servers in Canada and the appearance of toolset detections in Singapore and India. Hence, these countries could be the following targets of the Earth Estries group.
Threat analysts claimed these miscreants favour two malware strains in their cyberespionage campaigns. The malware strains primarily used by Earth Estries are TrillClient and Zingdoor. These malware payloads have malicious capabilities that allow hackers to execute their campaigns and compromise numerous organisations globally.
Organisations should track and study the TTPs employed by Earth Estries to configure their security protocols properly in countering these threats and safeguarding digital assets. These steps are possible if organisations learn the IOCs that provide security teams and analysts a better understanding of the framework and attack flow of the Earth Estries operators.
