Trend Micro researchers detail Earth Estries, a sophisticated cyberespionage operation focusing on governments and technology-sector targets, with overlaps to FamousSparrow. The group uses multiple backdoors (Zingdoor, TrillClient, HemiGate), DLL sideloading, PowerShell downgrades, and covert exfiltration via public services and email, backed by a Fastly CDN-based C2 and broad victimology. #EarthEstries #FamousSparrow
Keypoints
- Earth Estries is a mature cyberespionage actor active since at least 2020 with overlaps in TTPs with FamousSparrow.
- The campaign targets government and technology organizations across the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US, with indications of activity in Canada, India, and Singapore.
-
MITRE Techniques
- [T1078] Valid Accounts – ‘compromising existing accounts with administrative privileges after it successfully infected one of the organization’s internal servers.’
- [T1021.002] SMB/Windows Admin Shares – ‘propagated backdoors and hacking tools in other machines in the victim’s environment’ via SMB/WMIC.
- [T1059.001] PowerShell – ‘PowerShell downgrade attacks to avoid detection from Windows AMSI’s logging mechanism.’
- [T1574.001] DLL Side-Loading – ‘Zingdoor was disguised as mpclient.dll and designed to run via DLL sideloading by abusing Windows defender binary MsSecEs.exe.’
- [T1113] Screen Capture – ‘Screenshot: Takes a screenshot of the active desktop window.’
- [T1056.001] Keylogging – ‘The keylogger feature utilizes a non-interactive static control window… and logs keystrokes with User, Title, Time, Key.’
- [T1082] System Information Discovery – ‘Get system information.’
- [T1007] System Service Discovery – ‘Get Windows service information.’
- [T1041] Exfiltration Over C2 Channel – ‘the collected data will be sent to the threat actor’s email account trillgamby@gmail[.]com over SMTP.’
- [T1047] Windows Management Instrumentation – ‘WMIC’ used for lateral movement and command execution.
- [T1560.001] Archive Collected Data – ‘archived the collected data from a specified folder.’
Indicators of Compromise
- [Domain] C2/hosting domains – nx2.microware-help[.]com, east.smartpisang[.]com, and 2 more domains
- [IP] 103.133.137[.]157 – Used in a ping test to check remote server availability
- [File name] 7C809B4866086EF7FB1AB722F94DF5AF493B80DB – Victim list name used by TrillClient
- [File name] taskhask.doc – Encrypted backdoor configuration file for HemiGate
- [File name] taskhask.dat – HemiGate configuration
- [URL] hxxps://raw[.]githubusercontent[.]com/trillgb/codebox/main/config.json – Config retrieval for TrillClient
- [Email] trillgamby@gmail[.]com – SMTP data exfiltration target for TrillClient
- [Domain] smartlinkcorp[.]net – Cobalt Strike beacon hosting domain observed in C2 infrastructure
- [Domain] cdn728a66b0.smartlinkcorp[.]net – C2-related domain tied to Fastly CDN usage
- [Domain] east.smartpisang[.]com – WHOIS/C2 domain tied to Earth Estries infrastructure