New GhostSpider Backdoor Seen in Chinese APT Group Attacks

New research from Trend Micro found that a known Chinese APT group, Earth Estries, has been utilizing a never-before-seen backdoor in attacks on telecommunications companies in Southeast Asia. These attacks, which were observed in August, revealed how the group has evolved its toolset and gives some insight into the sophistication and complexity of behind-the-scenes operations of the APT, said researchers with Trend Micro in a Monday analysis.

“Our analysis suggests that Earth Estries is a well-organized group with a clear division of labor,” said researchers. “Based on observations from multiple campaigns, we speculate that attacks targeting different regions and industries are launched by different actors. Additionally, the C&C infrastructure used by various backdoors seems to be managed by different infrastructure teams, further highlighting the complexity of the group's operations.”

Key Findings:

• Researchers said that the targets in these attacks were “long-term,” with most victims being compromised for several years. The group leveraged the DEMODEX rootkit in order to maintain this covert access to victims' networks

• In the early stages, attackers obtained credentials and compromised machines via web vulnerabilities and the Microsoft Exchange ProxyLogon exploit chain

• In the August attacks, the threat group used a never-before-seen sophisticated and modular backdoor, which researchers categorize as GhostSpider

• The group was leveraged several known backdoors, including a tool that has been shared among different Chinese threat groups, which Trend Micro researchers call SnappyBee, and a cross-platform backdoor called Masol RAT that researchers had previously identified while investigating Southeast Asian government incidents in 2020

Why It Matters: The group’s adoption of new backdoors continues to add complexity to its attacks and makes its activities harder to detect. For instance, with the modular nature of the GhostSpider backdoor, new components can be updated based on the threat actor’s evolving needs, researchers said. 

“Additionally, it complicates detection and analysis, as analysts are forced to piece together a fragmented view of the malware’s full functionality,” said researchers. “By isolating different capabilities across separate modules, GHOSTSPIDER not only reduces its footprint, but also makes it challenging to construct a comprehensive understanding of its operation and overall objectives.”

The Big Picture: Earth Estries is one to watch. Researchers with Trend Micro, which have been tracking the group closely over the last year, said it has emerged as one of the most aggressive Chinese APTs, and found that it has compromised more than 20 organizations across the telecoms, technology, consulting, chemical, and transportation sectors, as well as government agencies. The group has also targeted companies in several locations, including the U.S., the Middle East, South Africa and the Asia-Pacific region. 

Notably, Earth Estries’ activity overlaps with activity from groups categorized under the Salt Typhoon, FamousSparrow, GhostEmperor and UNC2286 umbrella. Salt Typhoon has recently been linked to an attack on telecom company networks that impacted U.S. government officials’ sensitive data; however, Trend Micro researchers said on Monday “we don’t have sufficient evidence that Earth Estries is related to the recent news of a recent Salt Typhoon cyberattack, as we have not seen a more detailed report on Salt Typhoon. Currently, we can only confirm that some of Earth Estries’ tactics, techniques, and procedures (TTPs) overlap with that of FamousSparrow and GhostEmperor.”