Chinese state-sponsored threat actor Earth Estries is deploying new malware tools to target government and telecoms organizations globally, according to an analysis by Trend Micro.
This includes two backdoors named GhostSpider and Masol RAT to avoid detection and enable prolonged espionage operations.
The researchers also observed that the group often implants the Demodex rootkit on vendor machines to hide the presence of malware within victims' networks.
The group’s tactics, techniques, and procedures (TTPs) overlap with the Salt Typhoon advanced persistent threat (APT) actor, which was recently reported to have compromised US officials’ data through a large-scale espionage campaign on telecommunications providers.
Trend Micro said it does not have sufficient evidence that Earth Estries is related to this incident.
Earth Estries has successfully compromised more than 20 organizations in sectors like telecommunications, technology, consulting, chemical, and transportation industries, government agencies, and non-profit organizations (NGOs) since 2023, according to the analysis.
Victim organizations have been based in the US, Asia-Pacific, Middle East and South Africa.
The researchers described Earth Estries as “one of the most aggressive Chinese APT groups” currently in operation.
Sophisticated Tooling and TTPs
The researchers discovered a new backdoor named GhostSpider, used by Earth Estries during attacks on Southeast Asian telecommunications companies.
GhostSpider is a multi-modular backdoor designed with several layers to load different modules based on specific purposes. It communicates with its command and control (C2) server using a custom protocol protected by Transport Layer Security (TLS), ensuring secure communication.
The researchers highlighted the backdoors flexibility and adaptability, with individual components able to be deployed or updated independently based on the attacker’s evolving needs.
It is also difficult for defenders to detect as different capabilities are isolated across separate modules.
Earth Estries has also been observed using a cross-platform backdoor known as Masol RAT to target Linux servers within Southeast Asian governments. The researchers said they cannot rule out the possibility that Masol RAT is a shared tool among limited Chinese APT threat groups.
Additionally, the group uses the widely available shared backdoor Snappybee during operations, which suggests that the tools used by Earth Estries might come from different malware-as-a-service providers.
Another observed tactic is the deployment of the Demodex rootkit to help remain hidden within the victims' networks. This Windows Kernel rootkit is a type of malicious software used to obtain and maintain privileged access to a computer or system. It is designed to conceal the presence of malware from security teams to make detection harder.
The analysis noted that Earth Estries exploits public-facing server vulnerabilities to establish initial access and uses living-off-the-land binaries for lateral movement within networks in order to deploy malware for espionage purposes.
The researchers described Earth Estries as well-organized with a clear division of labor. They believe attacks targeting different regions and industries are launched by different actors.
Additionally, the C2 infrastructure used by various backdoors appear to be managed by different infrastructure teams, further demonstrating the high level of complexity and organization within the group.