A newly identified threat actor is quietly stealing information from governments and technology organizations around the globe.
The ongoing campaign comes courtesy of “Earth Estries.” The previously unknown group has existed since at least 2020, according to a new report from Trend Micro, and overlaps to some degree with another cyber espionage outfit, FamousSparrow. Though targets tend to come from the same couple of industries, they span the globe from the US to the Philippines, Germany, Taiwan, Malaysia, and South Africa.
Earth Estries has a penchant for using DLL sideloading to run any of its three custom malware — two backdoors, and an infostealer — along with other tools like Cobalt Strike. “The threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyberespionage and illicit activities,” Trend Micro’s researchers wrote.
Earth Estries’ Toolset
Earth Estries possesses three unique malware tools: Zingdoor, TrillClient, and HemiGate.
Zingdoor is an HTTP backdoor first developed in June 2022, deployed in only limited instances since. It’s written in Golang (Go), affording it cross-platform capabilities, and packed with UPX. It can retrieve system and Windows services information; enumerate, upload, or download files; and run arbitrary commands on a host machine.
TrillClient is a combination installer and infostealer, also written in Go, and packaged in a Windows cabinet file (.cab). The stealer is designed to collect browser credentials, with an added ability to act or sleep on command, or at random intervals, with the goal of avoiding detection. Along with Zingdoor, it sports a custom obfuscator designed to stump analysis tools.
The group’s most multifaceted tool is the backdoor HemiGate. This multi-instance, all-in-one malware includes features for keylogging, capturing screenshots, running commands, and monitoring, adding, deleting, and editing files, directories, and processes.
Earth Estries’ Methods
In April, researchers observed Earth Estries using compromised accounts with administrative privileges to infect an organization’s internal servers; the means by which those accounts were compromised is unknown. It planted Cobalt Strike to establish a foothold in the system, then used server message block (SMB) and WMI command line to bring its own malware to the party.
In its methods, Earth Estries gives the impression of a clean, deliberate operation.
For example, to execute its malware on a host machine, it reliably opts for the tricky method of DLL sideloading. And, the researchers explained, “the threat actors regularly cleaned their existing backdoor after finishing each round of operation and redeployed a new piece of malware when they started another round. We believe that they do this to reduce the risk of exposure and detection.”
DLL sideloading and another tool the group uses — Fastly CDN — are popular with APT41 sub groups like Earth Longzhi. Trend Micro also found overlaps between Earth Estries’ backdoor loader and FamousSparrow’s. Still, the exact origin of Earth Estries is unclear. It doesn’t help, either, that its C2 infrastructure is spread across five continents, spanning all of the earth’s hemispheres: from Canada to Australia, Finland to Laos, with the highest concentration in the US and India.
Researchers may learn more about the group soon, as its campaign against government and technology organizations across the world remains ongoing today.