The cyberspy group known as Earth Estries, with suspected ties to China, has launched targeted cyberespionage operations against governments and technology companies across regions including the US, Germany, South Africa, and Asia. Trend Micro has been tracking this group, revealing that Earth Estries has been active since at least 2020.
Although direct attribution to a specific country has not been made, there are noticeable similarities in tactics and techniques with another APT named FamousSparrow, which might be associated with Chinese threat actors SparklingGoblin and DRBControl.
Earth Estries’ victims have been identified in countries such as the United States, Germany, South Africa, Malaysia, the Philippines, and Taiwan. There is also evidence suggesting attacks on entities in India, Canada, and Singapore. The main targets have been governmental and technological organizations. The group’s modus operandi typically involves compromising admin accounts after infiltrating internal servers, followed by lateral movement, deployment of backdoors, and data exfiltration.
Notably, Earth Estries employs various malware in its operations, including HemiGate and Zingdoor backdoors, as well as the TrillClient information stealer. The group’s command and control (C&C) infrastructure relies on the Fastly CDN service and utilizes C&C servers hosted on virtual private server (VPS) services across multiple countries.
Trend Micro’s analysis suggests that Earth Estries operates with high-level resources, sophisticated skills, and experience in cyberespionage and illicit activities. The group’s evasion techniques encompass PowerShell downgrade attacks and the abuse of public services like Github, Gmail, AnonFiles, and File.io for covert communication and data transfer.
