Earth Estries’ Espionage Campaign Detailed By Trend Micro

A new hacking outfit nicknamed Earth Estries has been attributed to a new, ongoing cyber espionage campaign has been targeting the government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US.

Trend Micro discovered the Earth Estries campaign earlier this year and say the operation is working with “high-level resources and functioning with sophisticated skills and experience in cyber espionage and illicit activities.“

  • Uses multiple backdoors and hacking tools to enhance intrusion vectors
  • Observed using PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism
  • Uses public services such as Github, Gmail, AnonFiles, and to exchange or transfer commands and stolen data
  • Regularly cleans and redeploys its backdoors on the infected host to reduce the risk of detection

“By compromising internal servers and valid accounts, the threat actors can perform lateral movement within the victim’s network and carry out their malicious activities covertly,” the researchers said.

“Through the Server Message Block (SMB) and WMI command line (WMIC), the threat actors propagated backdoors and hacking tools in other machines in the victim’s environment. At the end of each round of operations in a series of deployments, they archived the collected data from a specified folder. “

David Mitchell, Chief Technical Officer, HYAS had this comment:

   “Earth Estries is just another in a long line of advanced espionage groups. They appear to fully understand the network defenses and utilize living off the land (LOL) of their targets in order to go undetected. These techniques highlight the critical need to tie together endpoint and network telemetry to provide a more 360 degree view of what is happening on your infrastructure — advanced attackers know that most enterprises are blind to lateral network movement and are capitalizing on it, with ease.”

Threat actors are not just about grabbing data and holding it for ransom. They’re often about grabbing data and selling it. Or giving it to a nation state. Organizations need to factor that in when crafting how they would stop attacks like this from happening.

Leave a Reply

%d bloggers like this: