Malware, Governance, Risk and Compliance, Threat Intelligence

Stealthy APT exposed: TTPs spill secrets of sophisticated campaigns

A newly identified advanced persistent threat (APT) group is using sophisticated cyberespionage techniques and custom malware to target government and technology sector organizations in at least six countries, including the United States.

Trend Micro said it discovered the group, which it calls Earth Estries, earlier this year, although they have been active since at least 2020.

In a Wednesday post, Trend Micro researchers describe Earth Estries as a sophisticated hacker group that is currently running an active campaign in the Philippines, Taiwan, Malaysia, South Africa and Germany, as well as the U.S.

“From a general overview of the tools and techniques used in this ongoing campaign, we believe the threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyberespionage and illicit activities,” the researchers wrote.

Trend Micro did not attribute the group to a particular country but said it found some overlaps between the tactics, techniques and procedures (TTPs) used by Earth Estries and those used by another APT group, FamousSparrow.

“Moreover, the code similarities and TTPs between Earth Estries and FamousSparrow suggests a possible connection between them,” the researchers said.

Further evidence, including tracked IP addresses and common technical formatting themes also suggested there were “strong ties” between the two groups.

In a 2021 research report, ESET linked FamousSparrow to two other APT groups, SparklingGoblin and DRBControl, both of which have been connected to Chinese threat actors.

Focused on evading detection

Trend Micro said after compromising internal servers, Earth Estries used valid accounts with administrative privileges to covertly move laterally across its victims’ networks.

“To leave as little footprint as possible, they use PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism. In addition, the actors abuse public services such as Github, Gmail, AnonFiles, and File.io to exchange or transfer commands and stolen data.”

The researchers said Earth Estries deployed a range of tools to carry out its campaign, including commonly used remote control tools such as Cobalt Strike and PlugX, but also novel backdoors and information stealers.

Included in its toolkit was Zingdoor, a Go HTTP backdoor with cross-platform capabilities which was first developed in June 2022 and has only been deployed on limited occasions.

The group also used TrillClient, a custom browser data stealer, also written in Go, which connected to a GitHub repository to retrieve commands, and HemiGate, a backdoor with keylogging capabilities.

“Like most of the tools used by this threat actor, this backdoor is also executed via DLL sideloading using one of the loaders that support interchangeable payloads. We observed that Earth Estries relies heavily on DLL sideloading to load various tools within its arsenal,” the researchers said.

“We also noted that the threat actors regularly cleaned their existing backdoor after finishing each round of operation and redeployed a new piece of malware when they started another round. We believe that they do this to reduce the risk of exposure and detection.”

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds