Earth Estries Uses GhostSpider Malware to Infiltrate High Value Targets
Threat Group: Earth Estries (also known as Salt Typhoon, GhostEmperor, UNC2286)
Threat Type: Advanced Persistent Threat (APT)
Exploited Vulnerabilities: Multiple N-day vulnerabilities in Ivanti Connect Secure, Fortinet FortiClient EMS, Sophos Firewall, and Microsoft Exchange Server
Malware Used: GHOSTSPIDER backdoor, MASOL RAT, Demodex rootkit, Deed RAT (SNAPPYBEE)
Threat Score: High (8.5/10) — Due to its focus on critical infrastructure, advanced stealth techniques, and global reach.
Last Threat Observation: November 27.
Overview
GhostSpider is an advanced backdoor associated with the Earth Estries APT group, known for its sophisticated cyber espionage campaigns targeting critical industries globally. First observed in 2023, GhostSpider is part of a suite of tools, including MASOL RAT and Demodex rootkit, utilized by Earth Estries to conduct prolonged cyberattacks. These campaigns have targeted telecommunications, government entities, NGOs, and critical infrastructure in regions such as the U.S., Southeast Asia, and the Middle East.
Earth Estries uses public-facing vulnerabilities for initial access and combines advanced techniques such as modular malware, encrypted communications, and persistent rootkits to maintain long-term access to targeted systems. GhostSpider exemplifies the group’s ability to evade detection while enabling data exfiltration and remote command execution.
Key Details
Targeted Sectors: Telecommunications, government agencies, NGOs, technology, consulting, transportation, and critical infrastructure.
Delivery Method: Exploitation of known vulnerabilities in public-facing servers and use of compromised credentials for lateral movement within networks.
Notable Functions of GhostSpider:
- Modular Backdoor Architecture:
- GhostSpider loads and executes modules in memory, enabling reconnaissance, data exfiltration, and remote command execution.
- Encrypted C&C Communication:
- Uses a custom protocol over TLS to evade network-based detection.
- Persistence Mechanisms:
- Employs DLL hijacking and obfuscated scripts to remain operational even after reboots.
- Stealthy Operation:
- Operates primarily in memory, leaving minimal forensic evidence.
Campaigns Overview:
- Campaign Alpha: Targeted Taiwanese government entities and chemical companies. Open C&C directories were leveraged for payload distribution.
- Campaign Beta: Persistent attacks on Southeast Asian telecommunications firms using GhostSpider and Demodex rootkit for stealthy infiltration.
Attack Vectors
Initial Access:
Earth Estries exploits publicly exposed vulnerabilities to gain entry into targeted systems. These include:
- Ivanti Connect Secure VPN: Exploits CVE-2023-46805 and CVE-2024-21887 to bypass authentication and execute commands with elevated privileges.
- Microsoft Exchange ProxyLogon: Utilizes CVE-2021-26855 and related flaws for remote code execution.
- Fortinet and Sophos Firewall Vulnerabilities: Exploits weaknesses in firewall products to penetrate networks.
Lateral Movement:
After gaining access, Earth Estries uses living-off-the-land binaries (LOLBINs) like WMIC.exe and PsExec.exe to traverse networks. These tools, being legitimate binaries, make detection difficult.
Persistence:
GhostSpider integrates advanced persistence techniques, such as DLL hijacking and multi-layered infection chains, to remain undetected over extended periods.
C&C Infrastructure:
The backdoor communicates with its C&C servers through a custom TLS-protected protocol, ensuring encrypted communication and modular payload delivery.
Technical Analysis
Modular Architecture
GhostSpider operates in distinct stages:
- Stager Deployment: A DLL (e.g.,
spider.dll
) initializes communication with the C&C server and downloads additional payloads. - Beacon Loader: A secondary DLL decrypts and executes other components in memory.
- Modular Payloads: Modules for reconnaissance, data exfiltration, or lateral movement are deployed as needed.
Anti-Detection Features
- Encrypted Communication: Ensures stealthy data exchange with C&C servers.
- Fileless Operation: Primarily resides in memory, leaving minimal traces.
- Obfuscation: Uses control flow flattening and encrypted payloads to hinder analysis.
Indicators of Compromise (IoCs)
File Hashes (SHA256)
fc3be6917fd37a083646ed4b97ebd2d45734a1e154e69c9c33ab00b0589a09e5
fba149eb5ef063bc6a2b15bd67132ea798919ed36c5acda46ee9b1118b823098
2fd4a49338d79f4caee4a60024bcd5ecb5008f1d5219263655ef49c54d9acdec
16c8afd3b35c76a476851f4994be180f0cd72c7b250e493d3eb8c58619587266
9ba31dc1e701ce8039a9a272ef3d55aa6df66984a322e0d309614a5655e7a85c
25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b
6d64643c044fe534dbb2c1158409138fcded757e550c6f79eada15e69a7865bc
b2b617e62353a672626c13cc7ad81b27f23f91282aad7a3a0db471d84852a9ac
05840de7fa648c41c60844c4e5d53dbb3bc2a5250dcb158a95b77bc0f68fa870
1a38303fb392ccc5a88d236b4f97ed404a89c1617f34b96ed826e7bb7257e296
IP Addresses (IPV4)
103[.]91[.]64[.]214
165[.]154[.]227[.]192
23[.]81[.]41[.]166
158[.]247[.]222[.]165
172[.]93[.]165[.]14
91[.]245[.]253[.]27
103[.]75[.]190[.]73
45[.]125[.]67[.]144
43[.]226[.]126[.]164
172[.]93[.]165[.]10
193[.]239[.]86[.]168
146[.]70[.]79[.]18
146[.]70[.]79[.]105
205[.]189[.]160[.]3
96[.]9[.]211[.]27
43[.]226[.]126[.]165
139[.]59[.]108[.]43
185[.]105[.]1[.]243
143[.]198[.]92[.]175
139[.]99[.]114[.]108
139[.]59[.]236[.]31
104[.]194[.]153[.]65
Domains
materialplies[.]com
news[.]colourtinctem[.]com
api[.]solveblemten[.]com
esh[.]hoovernamosong[.]com
vpn114240349[.]softether[.]net
imap[.]dateupdata[.]com
pulseathermakf[.]com
www[.]infraredsen[.]com
billing[.]clothworls[.]com
helpdesk[.]stnekpro[.]com
jasmine[.]lhousewares[.]com
private[.]royalnas[.]com
telcom[.]grishamarkovgf8936[.]workers[.]dev
vpn305783366[.]softether[.]net
vpn487875652[.]softether[.]net
vpn943823465[.]softether[.]net
Mitigation and Prevention
- Patch Management:
- Regularly update and patch all software to address vulnerabilities, especially those listed above.
- Network Segmentation:
- Isolate critical systems from public-facing servers to limit lateral movement.
- Endpoint Security:
- Deploy advanced endpoint detection and response (EDR) tools to detect and block fileless malware and unusual system behavior.
- Intrusion Detection:
- Monitor traffic for IoCs and deploy IDS/IPS to block known malicious activity.
- User Awareness Training:
- Train employees to recognize phishing attacks and protect their credentials.
- Enhanced Logging and Monitoring:
- Enable detailed logging for rapid detection of anomalies, especially those related to LOLBIN activity.
Conclusion
GhostSpider highlights the evolving threat landscape, where APT groups leverage modular, stealthy malware to achieve prolonged cyber espionage objectives. With its advanced capabilities, GhostSpider poses a severe risk to targeted organizations. To mitigate the threat, organizations must adopt a layered security approach, emphasizing proactive measures such as patching, robust network segmentation, and continuous threat monitoring.