Sophisticated Cyber-Espionage Group Earth Estries Exposed

Written by

A sophisticated cyber-espionage group named “Earth Estries” has been exposed by cybersecurity firm Trend Micro. 

Operating since at least 2020, the group targets government and tech organizations in various countries, including the Philippines, Taiwan, Malaysia, South Africa, Germany and the US.

Earth Estries employs advanced tactics including PowerShell downgrade attacks and compromising accounts with administrative privileges to infiltrate networks. They use tools such as Cobalt Strike to move within networks, specifically focusing on PDF and DDF files.

“By compromising internal servers and valid accounts, the threat actors can perform lateral movement within the victim’s network and carry out their malicious activities covertly,” Trend Micro wrote in an advisory published on Wednesday. 

The group’s toolkit comprises a range of tools, including the heavily obfuscated HTTP backdoor Zingdoor, an information stealer called TrillClient and HemiGate, another backdoor executed via DLL sideloading.

Read more on backdoor attacks: New Submarine Backdoor Used in Barracuda Campaign

“The use of Zingdoor as part of the routine to ensure that the backdoor cannot be unpacked easily drives additional challenges for analysts and security teams to make it more difficult to analyze,” Trend Micro explained.

To mask its activities, Earth Estries uses various domains for its command-and-control (C2) infrastructure and often hides behind content delivery networks (CDNs) to obscure its IP addresses.

While their primary targets are government and tech organizations, the group’s operations have broader implications, as evidenced by network traffic to Canadian C2 servers and toolset detections in India and Singapore. Additionally, similarities with the FamousSparrow group suggest a possible connection.

“Earth Estries is just another in a long line of advanced espionage groups. They appear to fully understand the network defenses and utilize living off the land (LOL) of their targets in order to go undetected,” commented David Mitchell, chief technical officer at HYAS.

“These techniques highlight the critical need to tie together endpoint and network telemetry to provide a more 360-degree view of what is happening on your infrastructure – advanced attackers know that most enterprises are blind to lateral network movement and are capitalizing on it.”

What’s hot on Infosecurity Magazine?