Earth Estries Uses GhostSpider Malware to Infiltrate High Value Targets

Earth Estries Uses GhostSpider Malware to Infiltrate High Value Targets

Threat Group: Earth Estries (also known as Salt Typhoon, GhostEmperor, UNC2286)
Threat Type: Advanced Persistent Threat (APT)
Exploited Vulnerabilities: Multiple N-day vulnerabilities in Ivanti Connect Secure, Fortinet FortiClient EMS, Sophos Firewall, and Microsoft Exchange Server
Malware Used: GHOSTSPIDER backdoor, MASOL RAT, Demodex rootkit, Deed RAT (SNAPPYBEE)
Threat Score: High (8.5/10) — Due to its focus on critical infrastructure, advanced stealth techniques, and global reach.
Last Threat Observation: November 27.


Overview

GhostSpider is an advanced backdoor associated with the Earth Estries APT group, known for its sophisticated cyber espionage campaigns targeting critical industries globally. First observed in 2023, GhostSpider is part of a suite of tools, including MASOL RAT and Demodex rootkit, utilized by Earth Estries to conduct prolonged cyberattacks. These campaigns have targeted telecommunications, government entities, NGOs, and critical infrastructure in regions such as the U.S., Southeast Asia, and the Middle East.

Earth Estries uses public-facing vulnerabilities for initial access and combines advanced techniques such as modular malware, encrypted communications, and persistent rootkits to maintain long-term access to targeted systems. GhostSpider exemplifies the group’s ability to evade detection while enabling data exfiltration and remote command execution.


Key Details

Targeted Sectors: Telecommunications, government agencies, NGOs, technology, consulting, transportation, and critical infrastructure.

Delivery Method: Exploitation of known vulnerabilities in public-facing servers and use of compromised credentials for lateral movement within networks.

Notable Functions of GhostSpider:

  1. Modular Backdoor Architecture:
    • GhostSpider loads and executes modules in memory, enabling reconnaissance, data exfiltration, and remote command execution.
  2. Encrypted C&C Communication:
    • Uses a custom protocol over TLS to evade network-based detection.
  3. Persistence Mechanisms:
    • Employs DLL hijacking and obfuscated scripts to remain operational even after reboots.
  4. Stealthy Operation:
    • Operates primarily in memory, leaving minimal forensic evidence.

Campaigns Overview:

  • Campaign Alpha: Targeted Taiwanese government entities and chemical companies. Open C&C directories were leveraged for payload distribution.
  • Campaign Beta: Persistent attacks on Southeast Asian telecommunications firms using GhostSpider and Demodex rootkit for stealthy infiltration.

Attack Vectors

Initial Access:
Earth Estries exploits publicly exposed vulnerabilities to gain entry into targeted systems. These include:

  • Ivanti Connect Secure VPN: Exploits CVE-2023-46805 and CVE-2024-21887 to bypass authentication and execute commands with elevated privileges.
  • Microsoft Exchange ProxyLogon: Utilizes CVE-2021-26855 and related flaws for remote code execution.
  • Fortinet and Sophos Firewall Vulnerabilities: Exploits weaknesses in firewall products to penetrate networks.

Lateral Movement:
After gaining access, Earth Estries uses living-off-the-land binaries (LOLBINs) like WMIC.exe and PsExec.exe to traverse networks. These tools, being legitimate binaries, make detection difficult.

Persistence:
GhostSpider integrates advanced persistence techniques, such as DLL hijacking and multi-layered infection chains, to remain undetected over extended periods.

C&C Infrastructure:
The backdoor communicates with its C&C servers through a custom TLS-protected protocol, ensuring encrypted communication and modular payload delivery.


Technical Analysis

Modular Architecture

GhostSpider operates in distinct stages:

  1. Stager Deployment: A DLL (e.g., spider.dll) initializes communication with the C&C server and downloads additional payloads.
  2. Beacon Loader: A secondary DLL decrypts and executes other components in memory.
  3. Modular Payloads: Modules for reconnaissance, data exfiltration, or lateral movement are deployed as needed.

Anti-Detection Features

  • Encrypted Communication: Ensures stealthy data exchange with C&C servers.
  • Fileless Operation: Primarily resides in memory, leaving minimal traces.
  • Obfuscation: Uses control flow flattening and encrypted payloads to hinder analysis.

Indicators of Compromise (IoCs)

File Hashes (SHA256)

  • fc3be6917fd37a083646ed4b97ebd2d45734a1e154e69c9c33ab00b0589a09e5
  • fba149eb5ef063bc6a2b15bd67132ea798919ed36c5acda46ee9b1118b823098
  • 2fd4a49338d79f4caee4a60024bcd5ecb5008f1d5219263655ef49c54d9acdec
  • 16c8afd3b35c76a476851f4994be180f0cd72c7b250e493d3eb8c58619587266
  • 9ba31dc1e701ce8039a9a272ef3d55aa6df66984a322e0d309614a5655e7a85c
  • 25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b
  • 6d64643c044fe534dbb2c1158409138fcded757e550c6f79eada15e69a7865bc
  • b2b617e62353a672626c13cc7ad81b27f23f91282aad7a3a0db471d84852a9ac
  • 05840de7fa648c41c60844c4e5d53dbb3bc2a5250dcb158a95b77bc0f68fa870
  • 1a38303fb392ccc5a88d236b4f97ed404a89c1617f34b96ed826e7bb7257e296

IP Addresses (IPV4)

  • 103[.]91[.]64[.]214
  • 165[.]154[.]227[.]192
  • 23[.]81[.]41[.]166
  • 158[.]247[.]222[.]165
  • 172[.]93[.]165[.]14
  • 91[.]245[.]253[.]27
  • 103[.]75[.]190[.]73
  • 45[.]125[.]67[.]144
  • 43[.]226[.]126[.]164
  • 172[.]93[.]165[.]10
  • 193[.]239[.]86[.]168
  • 146[.]70[.]79[.]18
  • 146[.]70[.]79[.]105
  • 205[.]189[.]160[.]3
  • 96[.]9[.]211[.]27
  • 43[.]226[.]126[.]165
  • 139[.]59[.]108[.]43
  • 185[.]105[.]1[.]243
  • 143[.]198[.]92[.]175
  • 139[.]99[.]114[.]108
  • 139[.]59[.]236[.]31
  • 104[.]194[.]153[.]65

Domains

  • materialplies[.]com
  • news[.]colourtinctem[.]com
  • api[.]solveblemten[.]com
  • esh[.]hoovernamosong[.]com
  • vpn114240349[.]softether[.]net
  • imap[.]dateupdata[.]com
  • pulseathermakf[.]com
  • www[.]infraredsen[.]com
  • billing[.]clothworls[.]com
  • helpdesk[.]stnekpro[.]com
  • jasmine[.]lhousewares[.]com
  • private[.]royalnas[.]com
  • telcom[.]grishamarkovgf8936[.]workers[.]dev
  • vpn305783366[.]softether[.]net
  • vpn487875652[.]softether[.]net
  • vpn943823465[.]softether[.]net

Mitigation and Prevention

  1. Patch Management:
    • Regularly update and patch all software to address vulnerabilities, especially those listed above.
  2. Network Segmentation:
    • Isolate critical systems from public-facing servers to limit lateral movement.
  3. Endpoint Security:
    • Deploy advanced endpoint detection and response (EDR) tools to detect and block fileless malware and unusual system behavior.
  4. Intrusion Detection:
    • Monitor traffic for IoCs and deploy IDS/IPS to block known malicious activity.
  5. User Awareness Training:
    • Train employees to recognize phishing attacks and protect their credentials.
  6. Enhanced Logging and Monitoring:
    • Enable detailed logging for rapid detection of anomalies, especially those related to LOLBIN activity.

Conclusion

GhostSpider highlights the evolving threat landscape, where APT groups leverage modular, stealthy malware to achieve prolonged cyber espionage objectives. With its advanced capabilities, GhostSpider poses a severe risk to targeted organizations. To mitigate the threat, organizations must adopt a layered security approach, emphasizing proactive measures such as patching, robust network segmentation, and continuous threat monitoring.


Sources

  1. Trend Micro: Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
  2. Bleeping Computer: Salt Typhoon hackers backdoor telcos with new GhostSpider malware
  3. The Hacker News: Chinese Hackers Use GHOSTSPIDER Malware to Hack Telecoms Across 12+ Countries