Game of Emperor: Unveiling Long Term Salt Typhoon/ Earth Estries Cyber Intrusions
Since 2023, the Chinese APT group Earth Estries has targeted critical sectors like telecommunications and government entities across regions including the US, Asia-Pacific, the Middle East, and South Africa. Employing sophisticated techniques and multiple backdoors such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, Earth Estries has compromised over 20 organizations. The group exploits server vulnerabilities for initial access and uses living-off-the-land binaries for lateral movement to deploy malware and conduct long-term espionage. Their operations often overlap with tactics of other Chinese APT groups, suggesting shared tools from malware-as-a-service providers. The group’s campaigns are highly organized, with distinct actors managing different regional attacks and C&C infrastructures. Earth Estries’ activities demonstrate a high level of sophistication, targeting sectors like telecommunications, technology, consulting, chemical, and transportation industries, as well as government agencies and NGOs in countries such as Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the US, and Vietnam.
In the Earth Estries cyber intrusion campaign, the attackers initially exploited public-facing server vulnerabilities to gain access to Linux servers, deploying the MASOL RAT for persistent access. Once inside, they utilized the MASOL RAT to maintain a foothold within the compromised systems, targeting Southeast Asian government networks. BlueRock's Container Drift Protection (Binaries & Scripts) effectively mitigates this threat by ensuring that only authorized binaries and scripts from the original container image are allowed to execute. This mechanism prevents unauthorized modifications to system processes, thereby blocking the execution of malicious payloads like MASOL RAT, and maintaining the integrity of the server environment.
- T1190: Exploit Public-Facing Application: The Earth Estries group exploits public-facing server vulnerabilities to establish initial access. The article specifically mentions 'Earth Estries is aggressively targeting the public-facing servers of victims' and lists vulnerabilities like Ivanti Connect Secure VPN Exploitation, Fortinet FortiClient EMS SQL Injection, and ProxyLogon. This aligns with the MITRE ATT&CK technique for Exploit Public-Facing Application (T1190).
- T1021: Remote Services: After gaining initial access, the attackers used living-off-the-land binaries (LOLBINs) such as WMIC.exe and PSEXEC.exe for lateral movement within networks. This is described in the article as 'After gaining control of the vulnerable server, we observed that the attackers leveraged living-off-the-land binaries (LOLBINs) like WMIC.exe and PSEXEC.exe for lateral movement.' This corresponds to the MITRE ATT&CK technique for Lateral Movement via Remote Services (T1021).
- T1071: Application Layer Protocol: The Earth Estries group deploys malware like SNAPPYBEE, DEMODEX, and GHOSTSPIDER for espionage. The article mentions 'deployed customized malware such as SNAPPYBEE, DEMODEX, and GHOSTSPIDER to conduct long-term espionage activities.' This indicates the use of malware to maintain persistence and conduct operations, aligning with the MITRE ATT&CK technique for Command and Control via Application Layer Protocol (T1071).
- T1090.003: Proxy: Multi-hop Proxy: The attackers used a complex C&C infrastructure, which suggests sophisticated Command and Control operations. The article notes 'Earth Estries uses a complex C&C infrastructure managed by different teams,' which aligns with the MITRE ATT&CK technique for Multi-hop Proxy (T1090.003).
- T1014: Rootkit: The use of the DEMODEX rootkit by Earth Estries for long-term persistence is highlighted in the article: 'We found that they implanted the DEMODEX rootkit on vendor machines.' This corresponds to the MITRE ATT&CK technique for Rootkit (T1014).
- T1505.002: Server Software Component: Transport Agent: The Earth Estries group uses backdoors like GHOSTSPIDER, SNAPPYBEE, and MASOL RAT for persistent access. The article describes 'A key finding from our recent investigation is the discovery of a new backdoor, GHOSTSPIDER,' indicating the use of backdoors for persistence, aligning with the MITRE ATT&CK technique for Implant Internal Image (T1505.002).
- T1574.001: Hijack Execution Flow: DLL Search Order Hijacking: The attackers use 'DLL search order hijacking' as part of their GHOSTSPIDER infection flow, as noted in 'On the infected endpoint, the threat actor deploys a legitimate executable file alongside a malicious DLL file for DLL search order hijacking.' This aligns with the MITRE ATT&CK technique for Hijack Execution Flow: DLL Search Order Hijacking (T1574.001).
- T1059.001: Command and Scripting Interpreter: PowerShell: The attackers' use of PowerShell scripts for initial infection is described in the article: 'the attackers used another variant of DEMODEX... the first-stage PowerShell script requires a decryption key as an argument.' This corresponds to the MITRE ATT&CK technique for Scripting (T1059.001).
