Earth Estries’ Espionage Campaign Targets Governments and Tech Titans Across Continents

Earth Estries’ Espionage Campaign Targets Governments and Tech Titans Across Continents

A hacking outfit nicknamed Earth Estries has been attributed to a new, ongoing cyber espionage campaign targeting government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S.

Active since at least 2020, Earth Estries is said to share tactical overlaps with another nation-state group tracked as FamousSparrow, which was first exposed by ESET in 2021 as exploiting ProxyLogon flaws in Microsoft Exchange Server to penetrate hospitality, government, engineering, and legal sectors.

It’s worth pointing out that commonalities have also been unearthed between FamousSparrow and UNC4841, an uncategorized activity cluster held responsible for the weaponization of a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances.

Earth Estries

This encompasses PlugX; Zingdoor, a Go-based implant to capture system information, enumerate and manage files, and run arbitrary commands; TrillClient, a custom stealer written in Go to siphon data from web browsers; and HemiGate, a backdoor that can log keystrokes, take screenshots, perform file operations, and monitor processes.

Another significant aspect of the modus operandi is the abuse of public services such as Github, Gmail, AnonFiles, and to exchange or transfer commands and stolen data. A majority of the command-and-control (C2) servers are located in the U.S., India, Australia, Canada, China, Japan, Finland, South Africa, and the U.K.

“By compromising internal servers and valid accounts, the threat actors can perform lateral movement within the victim’s network and carry out their malicious activities covertly,” the researchers said. “They also use techniques like PowerShell downgrade attacks and novel DLL side-loading combinations to evade detection.”