"Earth Estries Cyberespionage Group Targets Government, Tech Sectors"

A cyberespionage group possibly linked to China has recently targeted government-related organizations and technology companies in various parts of the world.  Security researchers at Trend Micro, which tracks it as Earth Estries, say the group has been around since at least 2020.  The researchers have not directly attributed Earth Estries to any particular country, but they did point out that there are some overlaps in tactics, techniques, and procedures (TTPs) with an APT named FamousSparrow.  FamousSparrow, which in 2021 was seen targeting governments and hotels, may be connected to the China-linked threat actors SparklingGoblin and DRBControl.  The researchers noted that they are aware of Earth Estries victims in the United States, Germany, South Africa, Malaysia, the Philippines, and Taiwan.  Some evidence suggests that entities in India, Canada, and Singapore were also attacked.  The researchers noted that the targets were mainly organizations in the government and technology sectors.  The attackers typically compromise admin accounts after hacking the targeted organization’s internal servers.  They then move laterally and deploy backdoors and other tools before collecting and exfiltrating valuable data.  The researchers noted that the list of malware used by the group includes the HemiGate and Zingdoor backdoors and the TrillClient information stealer.  Earth Estries’ command and control (C&C) infrastructure relies on the Fastly CDN service, which in the past was seen being abused by threat actors related to the Chinese group APT41.  The researchers analysis uncovered C&C servers hosted on virtual private server (VPS) services in various countries, including the US, India, Canada, the UK, Finland, Germany, Macedonia, China, South Korea, Japan, South Africa, and Australia. 

SecurityWeek reports: "Earth Estries Cyberespionage Group Targets Government, Tech Sectors"