<\/p>\n
![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/earth-estries-targets-government-tech-cyberespionage.jpg\")
<\/div>\nWe found Earth Estries compromising existing accounts with administrative privileges after it successfully infected one of the organization\u2019s internal servers. By installing Cobalt Strike on the system, the actors behind Earth Estries were able to deploy more pieces of malware and perform lateral movement. Through the Server Message Block (SMB) and WMI command line (WMIC), the threat actors propagated backdoors and hacking tools in other machines in the victim\u2019s environment. At the end of each round of operations in a series of deployments, they archived the collected data from a specified folder. According to our samples and analysis, the threat actors targeted PDF and DDF files, which the actors uploaded to online storage repositories AnonFiles or File.io using curl.exe<\/i>.<\/p>\n
We also noted that the threat actors regularly cleaned their existing backdoor after finishing each round of operation and redeployed a new piece of malware when they started another round. We believe that they do this to reduce the risk of exposure and detection.<\/p>\n
Backdoor and hacking tools<\/span><\/p>\n We observed the threat actors using various tools in this campaign, including information stealers, browser data stealers, and port scanners, among others. In this section, we focus on newly discovered and noteworthy toolsets and discuss their technical details.<\/p>\n Zingdoor<\/b><\/p>\n Zingdoor is a new HTTP backdoor written in Go. While we first encountered Zingdoor in April 2023, some logs indicate that the earliest developments of this backdoor took place in June 2022. However, it had rarely been seen in the wild and had only been observed being used in a limited number of victims, likely as a newly designed backdoor with cross-platform capabilities. Zingdoor is packed using UPX and heavily obfuscated by a custom obfuscator engine.<\/p>\n We noted that Zingdoor adopts anti-UPX unpacking<\/a> techniques. Generally, the magic number of UPX is \u201cUPX!\u201d, but in this case it was modified to \u201cMSE!\u201d, and the UPX application cannot unpack this modified file. This technique is easy and in internet of things (IoT) types of malware, but it is considered rare in APT activities.<\/p>\n Zingdoor was disguised as mpclient.dll and designed to run via DLL sideloading by abusing Windows defender binary MsSecEs.exe. Upon running the executable, Zingdoor registers the current parent process as a Windows service with the name “MsSecEsSvc” for persistence and starts it. As a service process, Zingdoor connects and waits for a command from the command-and-control (C&C) server. Based on the functions defined in the backdoor, it supports the following capabilities:<\/p>\n TrillClient<\/b><\/p>\n TrillClient toolset is an information stealer designed to steal browser data, and is packed in a single cabinet file (.cab) and extracted through the utility application expand.exe<\/i>. The CAB file contains a TrillClient installer and a stealer. Based on different arguments, the installer performs the following behaviors:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n As TrillClient is a custom browser data stealer written in Go, it is heavily obfuscated by a custom obfuscator for anti-analysis. Once launched, it looks for the victim list, 7C809B4866086EF7FB1AB722F94DF5AF493B80DB<\/i> created by the installer. Afterward, it connects to a GitHub repository to retrieve the command for the next set of actions. The repository address is hard-coded in the malware as follows: hxxps:\/\/raw[.]githubusercontent[.]com\/trillgb\/codebox\/main\/config.json.<\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n Value.name is the victim ID, while value.value is a command. After receiving this configuration, TrillClient looks for its own victim ID in the value.name list, and performs malicious activities based on the command defined by value.value. TrillClient supports the following commands:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n TrillClient steals the sensitive data found in the following directories:<\/p>\n The collected data will be temporarily copied to <%TEMP%\\browser_temp_data<RANDOM><\/i>>, archived usingthe .tar command, and encrypted with an XOR algorithm. Then the collected data will be sent to the threat actor\u2019s email account trillgamby@gmail[.]com<\/i> over SMTP (Simple Mail Transfer Protocol). Another noteworthy capability of TrillClient is its ability to update its version. As the value of \u201cversion\u201d defined in the downloaded config is newer than the current version number, it will download the newer one from the GitHub repository and update itself.<\/p>\n HemiGate<\/b><\/p>\n HemiGate is a backdoor used by Earth Estries. Like most of the tools used by this threat actor, this backdoor is also executed via DLL sideloading using one of the loaders that support interchangeable payloads. K7AVMScn.exe<\/i> from K7 Computing<\/a> is the sideloading host utilized by this backdoor, while the loader poses as K7AVWScn.dll<\/i>. The main backdoor is an encrypted file named taskhask.doc<\/i>, and another encrypted file named taskhask.dat<\/i> serves as the configuration file.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n HemiGate communicates to its C&C server over port 443 and performs a connection via proxy if required by the environment. The C&C server is retrieved from the configuration file, which mainly contains C&C server and port combinations. The config file is decrypted using RC4 encryption with the key 4376dsygdYTFde3<\/i>. This RC4 key is also used in other encryption\/decryption functions performed by the backdoor in most of its routines. Communication with the server is performed using POST method, using the following predefined header:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n HemiGate executes in three instances:<\/p>\n The keylogger feature utilizes a non-interactive static control window by creating a window with a predefined \u201cstatic\u201d class. A timer function is then used alongside a keyboard hook to log the keystrokes on an active window continuously, so long as the window remains active. The keystroke is logged using the following structure:<\/p>\n Aside from the keylogger, the following features are also available:<\/p>\n Heavy use of DLL sideloading<\/span><\/p>\n We observed that Earth Estries relies heavily on DLL sideloading to load various tools within its arsenal. Aside from the backdoors previously mentioned, this intrusion set also utilizes commonly used remote control tools like Cobalt Strike, PlugX, or Meterpreter stagers interchangeably in various attack stages. These tools come as encrypted payloads loaded by custom loader DLLs.<\/p>\n A notable feature of the loaders used is that the decryption key is in the encrypted payload. We observed that this intrusion set utilizes the same loader file while loading a different payload in the same target environment.<\/p>\n During our investigation, we learned several sideloading combinations used by Earth Estries and enumerate them in the following table:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n By and large, the DLL sideloading attacks we’ve observed are against older versions of legitimate files, some even a decade old, in a bid to convert them into LOLBins. Attackers are using this opportunistic tactic in the hopes of them being ignored by security products. This situation makes it even more important to implement version controls and application baselines to detect anomalies and prevent attackers from gaining footholds in the enterprise environment.<\/p>\n C&C server infrastructure<\/span><\/p>\n We observed that some of the Cobalt Strike implants Earth Estries used utilized Fastly CDN service to hide the actual IP address. We\u2019ve also previously observed the use of Fastly CDN in other campaigns<\/a> by some APT41<\/a>-related groups such as Earth Longzhi and GroupCC.<\/p>\n Looking into other Earth Estries\u2019 C&C activities observed from their victims\u2019 environments, we discovered some notable pieces of data in the registrant information as follows:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n The domains observed in Table 4 were observed from real incidents. According to public repositories, those C&C domains share the same registrant information. We infer that the domains have preferences when it comes to registrant information. In addition, these domains share similar C&C address formats, some of which we observed while tracking their operations. While our investigation is ongoing to determine whether these domains and registrant data are related to the threat actors, we do know that these pieces of information can be used to pivot other related C&C domains, likely used by the same group.<\/p>\n Based on the registrant information, we found more records of the old domain registered by the threat actors. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n Checking all the domains, we observed that smartlinkcorp[.]net<\/i> yielded the most information from public repositories and the threat intelligence community. Digging into the domain, we discovered a record of a related subdomain, \u201cns2.smartlinkcorp[.]net\u201d<\/i>. In addition, Cobalt Strike was once hosted on ns2.smartlinkcor[.]net<\/i> with the watermark 2029527128<\/i>. Based on the watermark, we found more related domains and IP records<\/a>. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n From these Cobalt Strike records, we noticed two new domains, digitelela[.]com<\/i> and z7-tech[.]com<\/i>, which we did not observe in our initial investigations. We then found another domain set possibly used by the threat actors based on the registrant information. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n Like the domain sets we found listed in Table 4, there are several common pieces of information, such as the country registration derived under these domains and subdomains. Specifically, the domains follow a ns{number}.{domain}<\/i> format and are designed for a Cobalt Strike beacon to send and receive commands via DNS tunneling.<\/p>\n Analyzing the preceding C&C domains and the resolved IP addresses, we found their C&C servers hosted on virtual private server (VPS) services located in different countries. We summarize the distribution of C&C servers here:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Victimology<\/span><\/p>\n Based on our investigation, Earth Estries focuses its attack targeting and attempts on government-related organizations and technology companies in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US. We also observed the network traffic to C&C servers in Canada and the occurrence of toolset detections in India and Singapore, making these regions potentially highly affected regions. Organizations in the identified countries should not only reexamine their systems for possible intrusions and unauthorized traffic exchanges but also reinforce their existing security measures.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Attribution<\/span><\/p>\n While tracking the campaign, we noticed the threat actors using \u201cping\u201d to test if a remote server is available before accessing it. Figure 10 shows one of the tests performed by Earth Estries, at the same time our tracking found that the threat actors tried to see if the remote server with IP address 103.133.137[.]157 is available.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n In addition, Earth Estries used some tools and TTPs that overlap with FamousSparrow. We compared the backdoor loader<\/a> used in this campaign to the loader<\/a> mentioned in the previous report<\/a>. As for TTPs, Earth Estries also tends to use .CAB files to deploy their malware and toolset to the victim\u2019s environment, which reinforced the tracking we found and initial country reports responsible for the attacks. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n Conclusion<\/span><\/p>\n Earth Estries is a sophisticated hacker group that has been active since at least 2020 and that focuses on deploying cyberespionage campaigns. It targets government and technology organizations in various countries and is capable of implementing advanced techniques such as the use of multiple backdoors and hacking tools to gain access to its targets.<\/p>\n By compromising internal servers and valid accounts, the threat actors can perform lateral movement within the victim’s network and carry out their malicious activities covertly. The use of Zingdoor as part of the routine to ensure that the backdoor cannot be unpacked easily drive additional challenges for analysts and security teams to make it more difficult to analyze. They also use techniques like PowerShell downgrade attacks and novel DLL sideloading combinations to evade detection. Moreover, the code similarities and TTPs between Earth Estries and FamousSparrow suggests a possible connection between them. Other pieces of evidence, such as tracked IP addresses and common technical formatting themes observed in their operation, indicate strong ties that can be investigated and analyzed further.<\/p>\n Understanding the methods used by Earth Estries can help organizations improve their security measures and protect their digital assets. It is essential for individuals and companies to stay vigilant and take necessary actions to enhance their cybersecurity to safeguard against such cyberespionage campaigns. Trend Vision One\u2122<\/a> provides security teams and analysts to visualize all the separate components of the organization from a single platform to monitor and track the tools, behaviors, and payloads as the routine attempts to move and execute in the organization\u2019s networks, systems, and infrastructure while simultaneously detecting and blocking the threats as left of the attack or infection routine as possible.<\/p>\n MITRE ATT&CK<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n Indicators of Compromise (IOCs)<\/span><\/p>\n Download the list of IOCs here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n\n
\n\n\n\n\n\n\n\n\n
\n\n\n\n\n
<\/span>\n\n
\n
\n
\n
\n
\n\n\n
\n
\n\n\n\n\n\n\n\n\n\n\n
\n\n\n\n\n\n\n\n\n\n