Earth Estries, also known as Salt Typhoon, is a sophisticated and persistent cyber threat actor that has been active since at least 2020. Recent analysis reveals two distinct attack chains employed by the group, both showcasing their diverse and evolving tactics, techniques, and tools (TTPs). Common to both chains is the exploitation of vulnerable systems such as Microsoft Exchange servers and network adapter management tools. While Earth Estries leverages these vulnerabilities to gain initial access, the ways in which they move laterally within compromised networks and maintain persistence are notably different in each chain. This strategic flexibility makes the group particularly effective at executing long-term cyber operations across a range of targeted industries, including governments and technology firms.
The first attack chain is heavily reliant on PsExec, a well-known Windows tool that allows attackers to execute commands remotely. In this case, Earth Estries uses PsExec alongside tools like Cobalt Strike, Trillclient, Hemigate, and Crowdoor, which are delivered through CAB file packages. These tools enable lateral movement within the network, granting the attacker access to various machines and data. Trillclient is particularly effective for credential theft, siphoning login information from browser caches to further expand the actor’s access. Earth Estries has also displayed advanced knowledge of victim environments, as evidenced by their use of wget to specifically download documents from the target’s internal web-based document management system. This attention to detail highlights the group’s strategic planning and thorough reconnaissance.
In contrast, the second attack chain takes a different approach by utilizing malware such as Zingdoor, SnappyBee, and other utility tools like PortScan and NinjaCopy. These tools are delivered through cURL downloads, highlighting Earth Estries’ flexibility in choosing different methods to inject malware into victim networks. Much like the first chain, the second chain also relies on backdoors like Cobalt Strike and Crowdoor to maintain access and move laterally across networks. However, the use of cURL for downloading tools suggests a more nuanced approach to exploiting vulnerabilities, as it may allow for more covert delivery of malicious payloads. Despite these differences, both chains exhibit the group’s capacity for sustained cyber operations and persistence in compromised environments.
Earth Estries’ operations are marked by their continuous updates and maintenance of tools. The group’s ability to adapt and evolve its tactics over time has allowed them to sustain access and control within compromised networks for extended periods. This adaptability is further emphasized by their use of backdoors like Crowdoor, which interact with other tools such as Cobalt Strike to ensure that their presence remains undetected and their objectives are met.
