Researchers have discovered that a threat actor is quietly stealing information across the globe from various organizations.
The ongoing campaign was dubbed as Earth Estries that existed since at least 2020 and overlaps to some degree with another cyber espionage outfit, FamousSparrow and span the globe from the US to the Philippines, Germany, Taiwan, Malaysia, and South Africa.
Earth Estries has a penchant for using DLL sideloading to run any of its three custom malware — two backdoors and an infostealer — along with other tools like Cobalt Strike.
The group possesses three unique malware tools: Zingdoor, TrillClient, and HemiGate.
Zingdoor is an HTTP backdoor first developed in June 2022, deployed in only limited instances since. It’s written in Golang, affording it cross-platform capabilities and packed with UPX. It can retrieve system and Windows services information; enumerate, upload, or download files; and run arbitrary commands on a host machine.
TrillClient is a combination installer and infostealer, also written in Go, and packaged in a Windows cabinet file. The stealer is designed to collect browser credentials, with an added ability to act or sleep on command or at random intervals, with the goal of avoiding detection. Along with Zingdoor, it sports a custom obfuscator designed to stump analysis tools.
HemiGate is a multi-instanc e tool. It’s an all-in-one malware that includes features for keylogging, capturing screenshots, running commands, and monitoring, adding, deleting, and editing files, directories, and processes.
Earlier this year, researchers observed Earth Estries using compromised accounts with administrative privileges to infect an organization’s internal servers;It planted Cobalt Strike to establish a foothold in the system, then used SMB and WMI command line to bring its own malware to the party.
In its methods, Earth Estries gives the impression of a clean, deliberate operation.
To execute its malware on a host machine, it reliably opts for the tricky method of DLL sideloading. The threat actors regularly cleaned their existing backdoor after finishing each round of operation and redeployed a new piece of malware when they started another round. This is undertaken to reduce the risk of exposure.
DLL sideloading and another tool the group uses — Fastly CDN — are popular with APT41 sub groups like Earth Longzhi. There are overlaps between Earth Estries’ backdoor loader and FamousSparrow’s.
The exact origin of Earth Estries is unclear. It doesn’t help, either, that its C2 infrastructure is spread across five continents, spanning all of the earth’s hemispheres: from Canada to Australia, Finland to Laos, with the highest concentration in the US and India.
This research was documented by researchers from Trend Micro.
Indicators of Compromise