Earth Estries Unleashes GHOSTSPIDER Backdoor in Advanced Cyber Espionage Campaign

The China-linked threat actor Earth Estries, active since at least 2020, has been identified deploying a previously unknown backdoor called GHOSTSPIDER in cyber espionage campaigns targeting telecommunications companies in Southeast Asia.

Scope of the Campaign

Security researchers at Trend Micro describe Earth Estries as an aggressive advanced persistent threat (APT) with a history of targeting industries including:

1. Telecommunications
2. Government agencies
3. Technology
4. Transportation
5. Non-profit organizations

The group has compromised over 20 entities across 13 countries, including India, Indonesia, Malaysia, South Africa, the U.S., and Vietnam.

Tools of the Trade

Earth Estries employs a broad malware arsenal, including:

1. GHOSTSPIDER: A stealthy, multi-modular implant that communicates via a custom TLS protocol and can download additional modules.
2. Demodex Rootkit: A tool for deep infiltration.
3. Deed RAT (SNAPPYBEE): A successor to ShadowPad, commonly used by Chinese APT groups.
4. Other malware families: Crowdoor, SparrowDoor, HemiGate, TrillClient, and Zingdoor.

Initial Access and Exploitation

Earth Estries exploits N-day vulnerabilities in popular software for initial access, including:

1. Ivanti Connect Secure: CVE-2023-46805, CVE-2024-21887
2. Fortinet FortiClient EMS: CVE-2023-48788
3. Sophos Firewall: CVE-2022-3236
4. Microsoft Exchange Server: ProxyLogon vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)

Once access is gained, custom malware like GHOSTSPIDER and Deed RAT is deployed to facilitate long-term espionage.

Sophisticated Infrastructure

Trend Micro highlights Earth Estries' well-organized structure:

1. Division of labor among regional teams.
2. Separate management of command-and-control infrastructure for different malware families.
3. Multi-layered stealth tactics that span edge devices to cloud environments.

These operations reflect a high level of sophistication, making detection and mitigation particularly challenging.

Broader Implications

Earth Estries is part of China's broader cyber program, which has evolved from isolated attacks to sustained campaigns aimed at bulk data collection. This shift targets Managed Service Providers (MSPs), Internet Service Providers (ISPs), and platform providers on a global scale.

Recommendations

Organizations should take the following steps to mitigate the risks:

1. Patch Vulnerabilities: Regularly update software to address N-day flaws.
2. Strengthen Perimeter Security: Monitor edge devices for signs of exploitation.
3. Implement Threat Detection Systems: Deploy solutions capable of detecting multi-modular malware like GHOSTSPIDER.
4. Enhance Threat Intelligence: Stay informed about evolving APT tactics and tools.

By adopting a proactive approach, entities in targeted industries can bolster their defenses against sophisticated adversaries like Earth Estries.