A new sophisticated cyber espionage group named Earth Estries, which overlaps notorious threat group FamousSparrow, was unveiled.
The group has been active since 2020 and targets multiple government and technology organizations utilizing hacking tools and backdoors.
Trend Micro has released the latest research report regarding the tactics and techniques used by this group.
They use PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism.
Hacker Group Attack Chain
For initial infection, it targets accounts with administrative privileges and compromises one of the victim’s internal servers.
Later, they employed backdoors and hacking tools for lateral movement through the Server Message Block (SMB) and WMI command line (WMIC).
They utilize various information stealers, browser data stealers, and port scanners to leverage the attack. However, they often utilize backdoors such as Zingdoor, TrillClient, and HemiGate.
In Addition to that, they utilize commonly used remote control tools like Cobalt Strike, PlugX, or Meterpreter stagers. These tools come as encrypted payloads loaded by custom loader DLLs.
After each deployment of malware, they archived the data in a folder. They target PDF and DDF files and upload them to AnonFiles or File.io via curl.exe.
In order to avoid detection, they employ a new piece of malware every time they start the operation. Their C&C servers are hosted on virtual private server (VPS) services located in different countries, and they use fastlyCDN services to hide their IP.
They target organizations in the government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US.
In addition, the actors abuse public services such as Github, Gmail, AnonFiles, and File.io to exchange or transfer commands and stolen data.
Source: https://cybersecuritynews.com/earth-estries-group-hack/