Earth Estries hackers exploit GhostSpider malware to backdoor telecoms globally, compromising critical infrastructure and government networks

Continue reading
Earth Estries, a Chinese advanced persistent threat (APT) group, has aggressively targeted critical sectors worldwide. These include telecommunications and government entities across the United States, Asia-Pacific, the Middle East, and South Africa. Utilizing sophisticated techniques and backdoors such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, Earth Estries has carried out prolonged cyber espionage operations, compromising more than 20 organizations.
Key new developments uncovered by Trend Micro include the identification of the new GHOSTSPIDER backdoor, the use of MASOL RAT on Linux devices, and the discovery of complex C&C infrastructure managed by multiple teams. These findings provide valuable insights into Earth Estries' evolving tactics and motivations.
The group exploits server vulnerabilities to gain initial access and uses living-off-the-land binaries (LOLBINs) for lateral movement within networks. The attacks affect sectors like telecommunications, technology, government agencies, and NGOs across regions including Southeast Asia, Africa, and the Americas.
Their complex command-and-control (C&C) infrastructure and overlapping tactics, techniques, and procedures (TTPs) with other known APT groups indicate the possible use of malware-as-a-service (MaaS) tools.
Since 2023, Earth Estries (also known as Salt Typhoon, FamousSparrow, GhostEmperor, and UNC2286) has emerged as one of the most aggressive Chinese APT groups. 
Their operations primarily target critical industries such as telecommunications and government sectors across various regions including the US, Asia-Pacific, the Middle East, and South Africa.
The Chinese state-sponsored hacking group Salt Typhoon (also known as Earth Estries, GhostEmperor, UNC2286) has been observed utilizing a new backdoor called GHOSTSPIDER in attacks against telecommunication service providers. The backdoor was discovered by Trend Micro, which has been monitoring Salt Typhoon's attacks against critical infrastructure and government organizations worldwide.
Along with GHOSTSPIDER, we identified a modular backdoor called SNAPPYBEE (aka Deed RAT), which is shared among Chinese APT groups.
Another significant discovery is the cross-platform MASOL RAT, initially found during Southeast Asian government incidents in 2020. Recent attacks show that Earth Estries has started deploying MASOL RAT on Linux devices, significantly expanding their reach into government networks that predominantly use Linux systems for critical infrastructure. This move represents an escalation in their tactics, targeting previously unaffected platforms and enhancing their ability to maintain persistence across diverse environments.
Earth Estries appears to target governments, internet service providers, and consulting firms to gather intelligence more efficiently, thus enabling them to infiltrate their primary targets more effectively. 
Recently, U.S. authorities confirmed that the Salt Typhoon was behind several breaches of telecommunication service providers in the U.S., including Verizon, AT&T, Lumen Technologies, and T-Mobile. In some cases, they managed to tap into the private communications of U.S. government officials and stole information related to court-authorized wiretapping requests.
Notably, they target both the core services (like database and cloud servers) of telecommunications firms and the networks of their vendors. A notable tactic is the deployment of a DEMODEX rootkit on vendor machines. This rootkit has been utilized to facilitate deeper access into target networks.
Earth Estries has successfully compromised more than 20 organizations in industries such as telecommunications, technology, consulting, chemicals, and transportation, as well as government agencies and NGOs. The victims are spread across multiple countries, including Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the US, and Vietnam.
These countries and industries are being targeted due to their strategic importance in regional stability, economic influence, and technological development. By compromising government and telecommunications sectors, Earth Estries can gather valuable intelligence, disrupt communication channels, and maintain persistent surveillance over critical infrastructure. Additionally, targeting consulting firms and NGOs that work closely with government entities allows them to indirectly access sensitive data and enhance their understanding of political dynamics.
Earth Estries aggressively targets public-facing servers by exploiting well-known vulnerabilities. Some of the vulnerabilities exploited by the group include:
After gaining access, attackers utilize LOLBINs such as WMIC.exe and PSEXEC.exe for lateral movement. Malware like SNAPPYBEE, DEMODEX, and GHOSTSPIDER is then deployed for long-term espionage.
Earth Estries appears to be a well-organized group with a clear division of labor, launching attacks across various regions and industries. Two key campaigns highlighted in Trend Micro's report are Campaign Alpha and Campaign Beta.
Campaign Alpha involved attacks on the Taiwanese government and chemical companies, primarily aiming to steal sensitive information related to government operations and industrial processes. The attackers downloaded malicious tools from their C&C server and deployed rootkits such as DEMODEX to maintain persistence and gather intelligence.
Campaign Beta was a long-term espionage campaign targeting telecommunications companies and government entities across Southeast Asia. The goal was to disrupt communication channels and maintain long-term surveillance over critical infrastructure. This campaign utilized backdoors like GHOSTSPIDER and the DEMODEX rootkit for extended monitoring. These campaigns suggest that Earth Estries uses distinct infrastructure teams for different attacks, highlighting the complexity of their operations.
GHOSTSPIDER is a sophisticated, multi-modular backdoor designed for long-term espionage operations requiring high levels of stealth, achieved through encryption and residing solely in memory. It is loaded on the target system using DLL hijacking and registered as a service via the legitimate regsvr32.exe tool, while a secondary module, the beacon loader, loads encrypted payloads directly in memory.
GHOSTSPIDER communicates with its C&C server using a custom protocol protected by Transport Layer Security (TLS), which makes it challenging to intercept and analyze. The backdoor executes commands received from the command and control (C2) server, concealed within HTTP headers or cookies to blend with legitimate traffic.
The backdoor supports various commands, such as uploading malicious modules into memory, creating necessary resources, executing primary functions, and maintaining periodic communication with the C&C server. This modular design gives GHOSTSPIDER significant versatility and adaptability, allowing Salt Typhoon to adjust their attack as needed depending on the victim's network and defenses.
The C&C infrastructure managed by Earth Estries involves multiple teams, each responsible for different backdoors. For example, SNAPPYBEE C&C domains have WHOIS information that overlaps with other known operations, suggesting shared tools or collaboration between different APT groups. This approach helps the group maintain a decentralized and flexible attack framework, making it harder for defenders to identify and counter their operations.
Some TTPs used by Earth Estries overlap with those employed by FamousSparrow and GhostEmperor. 
The use of shared tools, such as ShadowPad and MASOL RAT, suggests that Earth Estries may source its tools from malware-as-a-service providers. This highlights the likelihood of collaboration or shared resources between Chinese APT groups.
During post-exploitation, Earth Estries uses LOLBINs and customized malware for further infiltration and to maintain persistence. This includes executing PowerShell commands to deploy rootkits like DEMODEX and spreading through targeted environments, often using SoftEther VPN to mask their C&C activities.
Earth Estries, also known as Salt Typhoon, continues to be one of the most aggressive Chinese APT groups, leveraging sophisticated tactics to compromise critical infrastructure. Their attacks are characterized by stealth, the use of living-off-the-land tools, and the deployment of shared backdoors, making them challenging to detect and counter. U.S. authorities have recently notified numerous victims of breaches involving Salt Typhoon, emphasizing the need for vigilance.
Organizations must strengthen their cybersecurity, focusing on practices such as multi-layered security, regular patching, and enhanced network visibility. Employing tools like Trend Micro Vision One™ can help organizations effectively monitor and mitigate these advanced threats.

Suspected China and India nexus actors both compromised Balochistan Police systems, planting malware in a public complaint portal used by citizens.