Earth Estries, a Chinese APT group, has been actively targeting critical infrastructure sectors, including telecommunications and government entities, in regions like the US, Asia-Pacific, Middle East, and South Africa since 2023.
The group, utilizing sophisticated techniques like GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, has compromised multiple Southeast Asian telecommunications firms and government organizations through various backdoors.
It leverages public-facing server vulnerabilities to gain initial access, employs living-off-the-land binaries for lateral movement, and deploys malware to facilitate long-term espionage operations within compromised networks.
Targeted attacks have compromised over 20 organizations across diverse sectors, including telecommunications, technology, and government, affecting numerous countries.
A shared malware-as-a-service infrastructure is used to overlap operations with other Chinese APT groups, potentially indicating the use of common tools and techniques.
N-day vulnerabilities (Ivanti Connect Secure VPN, Fortinet FortiClient EMS, Sophos Firewall, Microsoft Exchange) are used for initial access, then use LOLBINs (WMIC.exe, PSEXEC.exe) for lateral movement and deploy custom malware (SNAPPYBEE, DEMODEX, GHOSTSPIDER) for persistent espionage.
The C&C server 165.154.227[.]192, linked to the ShadowPad SSL certificate, is associated with multiple APT groups, which has also been tied to the Ivanti exploit, indicating its potential use in broader cyberattacks.
The newly observed onedrived.ps1 malware leverages similar tactics, techniques, and procedures (TTPs) to the initial PowerShell dropper of GhostEmperor. However, it employs base64 encoding to obfuscate strings, differentiating it from its predecessor.
Two malware samples employed distinct DLL hijacking techniques and decryption algorithms, yet both exhibited backdoor characteristics consistent with SNAPPYBEE, which were confirmed by the presence of the 0xDEED4554 shellcode module header signature and the 0x20 Main/Root module ID in the decrypted payload.
Trend Micro identified a SnappyBee C&C domain with WHOIS information linked to UNC4841 IOCs, suggesting potential shared infrastructure. While this indicates overlap, insufficient evidence exists to definitively classify UNC4841 as an Earth Esties subgroup.
The threat actor utilized a SNAPPYBEE C&C domain (esh.hoovernamosong[.]com) resolving to a C&C IP (158.247.222[.]165), likely leveraging a SoftEther VPN (vpn114240349.softether[.]net) for obfuscating their operations and hindering tracking efforts.
Cyberattackers exploited an open directory on a C&C server (158.247.222[.]165) to steal sensitive data from a US NGO, including financial, HR, and business documents, as well as information related to military and government entities.
Earth Estries is a sophisticated Chinese advanced persistent threat group that targets critical sectors such as the government and the telecommunications industry.
They leverage vulnerabilities, shared tools like SNAPPYBEE, and stealthy techniques to infiltrate edge and cloud environments, as their advanced operational networks enable persistent, covert cyber espionage.