GhostSpider Backdoor

By Mezo in Advanced Persistent Threat (APT), Backdoors, Malware

Translate To:

A sophisticated China-linked cyber espionage group known as the Earth Estries has been targeting telecommunications and government entities across Southeast Asia and beyond. The group has employed a variety of advanced techniques to infiltrate critical industries, including using an undocumented backdoor named GhostSpider. This threat actor has also been observed exploiting several vulnerabilities to gain unauthorized access to its targets, revealing the increasing sophistication of China's cyber capabilities.

Table of Contents

GhostSpider: The Undocumented Backdoor

GhostSpider, a new addition to the Earth Estries' arsenal, has been used as a primary method to infiltrate networks. This backdoor is highly targeted, specifically crafted to exploit weaknesses in the infrastructure of Southeast Asian telecommunications firms. The Earth Estries uses this tool alongside the MASOL RAT (also known as Backdr-NQ), another backdoor, to target both Linux and government network systems. The group's strategy of using custom-made malware ensures a persistent presence within compromised networks, enabling long-term cyber espionage.

A Global Reach: Targeting Multiple Sectors

The Earth Estries has made significant strides in compromising a wide range of sectors, including telecommunications, technology, consulting, transportation, chemical industries, and government organizations. The group's operations span over 20 victims across more than a dozen countries, including Afghanistan, Brazil, India, Indonesia, Malaysia, South Africa, the U.S. and Vietnam. This broad targeting underscores the group's capability and ambition, with an estimated 150 victims affected by their activities, particularly within the U.S. government and private sector.

The Tools of the Earth Estries

Among the many tools at The Earth Estries' disposal, the Demodex rootkit and Deed RAT (also known as SNAPPYBEE) stand out. These tools, along with others like Crowdoor and TrillClient, are integral to the group's operations. ShadowPad, a malware family widely used by Chinese APT groups, is believed to have influenced the development of Deed RAT, a likely successor. These advanced backdoors and information stealers allow The Earth Estries to remain hidden while exfiltrating sensitive information from their targets.

Exploiting Vulnerabilities for Initial Access

To gain access to its targets, the Earth Estries relies heavily on N-day vulnerabilities, which are flaws in software that have been publicly disclosed but not yet patched by users. Some of the most commonly exploited vulnerabilities include those in Ivanti Connect Secure, Fortinet FortiClient EMS, Sophos Firewall and Microsoft Exchange Server. Once these vulnerabilities are exploited, the Earth Estries deploys its custom malware, further embedding itself into the compromised network for long-term surveillance and data collection.

A Complex and Well-Organized Group

The Earth Estries operates with a highly structured and organized approach. Based on the analysis of several campaigns, it appears that different teams within the group are responsible for targeting specific regions and industries. The group's Command-and-Control (C2) infrastructure is also decentralized, with distinct teams managing different backdoor operations. This segmentation allows for a more complex and coordinated series of attacks across various sectors.

GhostSpider: A Multi-Module Implant

At the heart of the Earth Estries' operations is the GhostSpider implant. This sophisticated tool communicates with attacker-controlled infrastructure through a custom protocol secured by Transport Layer Security (TLS). The implant can retrieve additional modules as needed, expanding its functionality. Its flexibility makes it a powerful tool for long-term cyber espionage, allowing the Earth Estries to adapt and evolve its operations as the situation demands.

Stealth and Evasion Tactics

The Earth Estries employs a variety of stealth techniques to avoid detection. The group starts its attacks at the edge devices, gradually extending its reach into cloud environments, making it difficult to detect its presence. By maintaining a low profile and hiding behind layers of infrastructure, the Earth Estries ensures its activities go undetected for extended periods, allowing for uninterrupted data collection.

Telecommunication Companies: A Frequent Target

Telecommunication companies have long been a prime target for China-linked cyber threat groups, with the Earth Estries joining the ranks of others such as Granite Typhoon and Liminal Panda. These attacks reveal the increased maturation of China's cyber program, which has shifted from one-off strikes to bulk data collection and sustained campaigns aimed at critical service providers. The Earth Estries' focus on Managed Service Providers (MSPs), Internet Service Providers (ISPs), and platform providers signals a shift in China's strategy to gain continuous access to global communications networks.

Conclusion: A Growing Cyber Espionage Threat

As the Earth Estries continues to expand its operations, it highlights the growing capabilities of China-linked cyber espionage groups. The use of sophisticated malware, combined with a focus on critical infrastructure sectors, demonstrates a well-organized and evolving threat. For organizations in the affected regions, the need for heightened vigilance and robust cybersecurity measures has never been more critical.