Breaking Down Earth Estries' Persistent TTPs in Prolonged Cyber Operations

    Wednesday, November 13, 2024 In: Threat Research Print

    Date: 11/13/2024

    Severity: Medium

    Summary

    "Breaking Down Earth Estries' Persistent TTPs in Prolonged Cyber Operations" details the sophisticated tactics used by the Earth Estries cyber group in their long-term campaigns. They use two primary attack chains: one leveraging PsExec and tools like Trillclient, Hemigate, and Crowdoor via CAB files, and another using malware like Zingdoor and SnappyBee delivered through cURL downloads. Both chains exploit vulnerabilities in systems like Microsoft Exchange servers and network management tools. Earth Estries maintains persistence through backdoors, continuous tool updates, and lateral movement. They exfiltrate data using Trillclient and cURL, often sending stolen information to anonymized file-sharing services while using proxies to obscure their activities.

    Indicators of Compromise (IOC) List

    URL/Domain

    cdglobalclouds.com

    broadmediacloud.com

    zmail.broadmediacloud.com

    www.nodtecloud.com

    mail2-0da8aa1c.oxcdntech.com

    helpdesk.athenatechlabs.com

    supports.flarecastdns.com

    ns.starkaero.com

    pay.johannesburghotel.net

    kidshomeworkabc.global.ssl.fastly.net

    ap.missmichiko.com

    portal.sppokemon.com

    svn.truecdnnetwork.com

    lync.realtxholdem.com

    globalnetzone.b-cdn.net

    amazoncdns.com

    www.euphemismscase.site

    www.dbacloudsupport.com

    www.cloudshappen.com

    www.amazoncdns.com

    supports.dbacloudsupport.com

    ssl3.awsdns-531.com

    soffice.offices-analytics.com

    services.offices-analytics.com

    resource.offices-analytics.com

    redsquare.redcrossco.com

    portal.techmersion.com

    portal.cdglobalclouds.com

    opengl.cloudshappen.com

    ns108.cloudshappen.com

    ns101.awsdns-531.com

    ms119.newsfreecloud.com

    ms101.cloudshappen.com

    mail.euphemismscase.site

    llnw-dd.awsdns-531.com

    images.dbacloudsupport.com

    helpdesk.cloudshappen.com

    helpdesk.athenatechlabs.com

    global.techmersion.com

    ge.huseinhbz.click

    ftp.techmersion.com

    euphemismscase.site

    emv1.techmersion.com

    emv1.cdglobalclouds.com

    de.huseinhbz.click

    credits.offices-analytics.com

    cloudsrv.cloudfrontsrv.com

    cdn181.awsdns-531.com

    cdn101.cloudflaresrv.com

    cdglobalclouds.com

    cas04.awsdns-531.com

    cachecloud.cloudflaresrv.com

    cache10.newsfreecloud.com

    c11r.awsdns-531.com

    blog.techmersion.com

    auth.boxlibraries.com

    IP Address

    103.159.133.209

    45.192.178.208 

    38.54.71.140

    103.159.133.205

    103.103.131.40

    103.15.28.228

    154.220.3.17

    156.255.2.202

    103.103.128.121

    162.19.135.182

    Hash

    42d4eb7f04111631891379c5cce55480d2d9d2ef8feaf1075e1aed0c52df4bb9

95062728536f23b1335756ae1a1d68f1df22d58594ece9998cae6b73772fd49f

6a4de5c7787e212dea5f033f8f7cd39aefc93e7c83c8564dc2204813e8e76ff2

27042218e8d1a0491525b35a6dc2fc0737841bcaed65b751e78769eadeda9751

c32156a7de42a61f5d584e82dfbced690d23fd72080024c14a9143e5f20f0ad8

a298031b1c28f11f00d3b9f6311fbfae881d6c789e70c4bc5e6ccdf8165b94c6

cdde7878ed0529f9ef3ad58aa3084f1df6e2fb371807b15539187539b060fed2

6f274955b1fb58cc9a60476bc5a9cd9d54c962cc29e73db41b7786148cb74505

09abc579097b0bd8d115702bb1eeb546d2401373c83385a52386ad4243f945e8

292f70bff5717608c289f4146febcc06a2c5d8192529a8c51e18ec0f7b44d1cf

cd8630f8e07e16203195f563457a84beb08112fcbb4d9ee1056a788174cf8f6b

98ddf03ca6ade4770cc06ac8034b3468bd94094f5813d28b74885e5ca6958895

03365cce37db511fdfaf8d77a14f806a2d822a111aa8cc032b5b341c0b0064a5

1378bde3aee0057ca2a5854fee4d184479491ec624a3bbf215098afaa6b82299

b17660d1a4c0258739024187497be0b11530791d1307d9e5556f04f0ac58d42f

b450311b5fc4333b26955f7c709ca61fcfdba168f1a8839a93979a892a8c22cc

39f1c7095e1db05944eeda08a2e1c1b8c513ea581bfc0cb36ad106e3a8f38b5f

0c8c0b2837fbb9c15da1bfb904ed3f3903e2d4d49c999394068f274b014a09dd

a113c637bb81f9bbd39731672b242a8da5915ef4b5e93d72cc9a7454b5e120bd

4aeaa0d954268d4fc7179ec7578258c3459ee95b82698363e0cafb700c05181a

d0575b3ced944dc627d047c60f23d25bd3aa0c4deab69f784b9a80aae50fbd7b

25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b

6d64643c044fe534dbb2c1158409138fcded757e550c6f79eada15e69a7865bc

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "mail2-0da8aa1c.oxcdntech.com" or url like "mail2-0da8aa1c.oxcdntech.com" or userdomainname like "cdglobalclouds.com" or url like "cdglobalclouds.com" or userdomainname like "helpdesk.cloudshappen.com" or url like "helpdesk.cloudshappen.com" or userdomainname like "credits.offices-analytics.com" or url like "credits.offices-analytics.com" or userdomainname like "ns101.awsdns-531.com" or url like "ns101.awsdns-531.com" or userdomainname like "www.euphemismscase.site" or url like "www.euphemismscase.site" or userdomainname like "www.nodtecloud.com" or url like "www.nodtecloud.com" or userdomainname like "cloudsrv.cloudfrontsrv.com" or url like "cloudsrv.cloudfrontsrv.com" or userdomainname like "mail.euphemismscase.site" or url like "mail.euphemismscase.site" or userdomainname like "supports.dbacloudsupport.com" or url like "supports.dbacloudsupport.com" or userdomainname like "lync.realtxholdem.com" or url like "lync.realtxholdem.com" or userdomainname like "helpdesk.athenatechlabs.com" or url like "helpdesk.athenatechlabs.com" or userdomainname like "portal.techmersion.com" or url like "portal.techmersion.com" or userdomainname like "cdn101.cloudflaresrv.com" or url like "cdn101.cloudflaresrv.com" or userdomainname like "euphemismscase.site" or url like "euphemismscase.site" or userdomainname like "portal.cdglobalclouds.com" or url like "portal.cdglobalclouds.com" or userdomainname like "emv1.cdglobalclouds.com" or url like "emv1.cdglobalclouds.com" or userdomainname like "amazoncdns.com" or url like "amazoncdns.com" or userdomainname like "de.huseinhbz.click" or url like "de.huseinhbz.click" or userdomainname like "global.techmersion.com" or url like "global.techmersion.com" or userdomainname like "pay.johannesburghotel.net" or url like "pay.johannesburghotel.net" or userdomainname like "zmail.broadmediacloud.com" or url like "zmail.broadmediacloud.com" or userdomainname like "globalnetzone.b-cdn.net" or url like "globalnetzone.b-cdn.net" or userdomainname like "ms119.newsfreecloud.com" or url like "ms119.newsfreecloud.com" or userdomainname like "images.dbacloudsupport.com" or url like "images.dbacloudsupport.com" or userdomainname like "www.amazoncdns.com" or url like "www.amazoncdns.com" or userdomainname like "kidshomeworkabc.global.ssl.fastly.net" or url like "kidshomeworkabc.global.ssl.fastly.net" or userdomainname like "cdn181.awsdns-531.com" or url like "cdn181.awsdns-531.com" or userdomainname like "blog.techmersion.com" or url like "blog.techmersion.com" or userdomainname like "redsquare.redcrossco.com" or url like "redsquare.redcrossco.com" or userdomainname like "auth.boxlibraries.com" or url like "auth.boxlibraries.com" or userdomainname like "portal.sppokemon.com" or url like "portal.sppokemon.com" or userdomainname like "cache10.newsfreecloud.com" or url like "cache10.newsfreecloud.com" or userdomainname like "soffice.offices-analytics.com" or url like "soffice.offices-analytics.com" or userdomainname like "ssl3.awsdns-531.com" or url like "ssl3.awsdns-531.com" or userdomainname like "resource.offices-analytics.com" or url like "resource.offices-analytics.com" or userdomainname like "ms101.cloudshappen.com" or url like "ms101.cloudshappen.com" or userdomainname like "c11r.awsdns-531.com" or url like "c11r.awsdns-531.com" or userdomainname like "emv1.techmersion.com" or url like "emv1.techmersion.com" or userdomainname like "broadmediacloud.com" or url like "broadmediacloud.com" or userdomainname like "supports.flarecastdns.com" or url like "supports.flarecastdns.com" or userdomainname like "ns.starkaero.com" or url like "ns.starkaero.com" or userdomainname like "ap.missmichiko.com" or url like "ap.missmichiko.com" or userdomainname like "svn.truecdnnetwork.com" or url like "svn.truecdnnetwork.com" or userdomainname like "www.dbacloudsupport.com" or url like "www.dbacloudsupport.com" or userdomainname like "www.cloudshappen.com" or url like "www.cloudshappen.com" or userdomainname like "services.offices-analytics.com" or url like "services.offices-analytics.com" or userdomainname like "opengl.cloudshappen.com" or url like "opengl.cloudshappen.com" or userdomainname like "ns108.cloudshappen.com" or url like "ns108.cloudshappen.com" or userdomainname like "llnw-dd.awsdns-531.com" or url like "llnw-dd.awsdns-531.com" or userdomainname like "ge.huseinhbz.click" or url like "ge.huseinhbz.click" or userdomainname like "ftp.techmersion.com" or url like "ftp.techmersion.com" or userdomainname like "cas04.awsdns-531.com" or url like "cas04.awsdns-531.com" or userdomainname like "cachecloud.cloudflaresrv.com" or url like "cachecloud.cloudflaresrv.com"

    Detection Query 2

    dstipaddress IN ("45.192.178.208","156.255.2.202","103.103.131.40","103.103.128.121","162.19.135.182","103.159.133.205","38.54.71.140","103.159.133.209","103.15.28.228","154.220.3.17") or ipaddress IN ("45.192.178.208","156.255.2.202","103.103.131.40","103.103.128.121","162.19.135.182","103.159.133.205","38.54.71.140","103.159.133.209","103.15.28.228","154.220.3.17") or publicipaddress IN ("45.192.178.208","156.255.2.202","103.103.131.40","103.103.128.121","162.19.135.182","103.159.133.205","38.54.71.140","103.159.133.209","103.15.28.228","154.220.3.17") or srcipaddress IN ("45.192.178.208","156.255.2.202","103.103.131.40","103.103.128.121","162.19.135.182","103.159.133.205","38.54.71.140","103.159.133.209","103.15.28.228","154.220.3.17")

    Detection Query 3

    sha256hash IN ("25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b","42d4eb7f04111631891379c5cce55480d2d9d2ef8feaf1075e1aed0c52df4bb9","95062728536f23b1335756ae1a1d68f1df22d58594ece9998cae6b73772fd49f","6a4de5c7787e212dea5f033f8f7cd39aefc93e7c83c8564dc2204813e8e76ff2","27042218e8d1a0491525b35a6dc2fc0737841bcaed65b751e78769eadeda9751","c32156a7de42a61f5d584e82dfbced690d23fd72080024c14a9143e5f20f0ad8","a298031b1c28f11f00d3b9f6311fbfae881d6c789e70c4bc5e6ccdf8165b94c6","cdde7878ed0529f9ef3ad58aa3084f1df6e2fb371807b15539187539b060fed2","6f274955b1fb58cc9a60476bc5a9cd9d54c962cc29e73db41b7786148cb74505","09abc579097b0bd8d115702bb1eeb546d2401373c83385a52386ad4243f945e8","292f70bff5717608c289f4146febcc06a2c5d8192529a8c51e18ec0f7b44d1cf","cd8630f8e07e16203195f563457a84beb08112fcbb4d9ee1056a788174cf8f6b","98ddf03ca6ade4770cc06ac8034b3468bd94094f5813d28b74885e5ca6958895","03365cce37db511fdfaf8d77a14f806a2d822a111aa8cc032b5b341c0b0064a5","1378bde3aee0057ca2a5854fee4d184479491ec624a3bbf215098afaa6b82299","b17660d1a4c0258739024187497be0b11530791d1307d9e5556f04f0ac58d42f","b450311b5fc4333b26955f7c709ca61fcfdba168f1a8839a93979a892a8c22cc","39f1c7095e1db05944eeda08a2e1c1b8c513ea581bfc0cb36ad106e3a8f38b5f","0c8c0b2837fbb9c15da1bfb904ed3f3903e2d4d49c999394068f274b014a09dd","a113c637bb81f9bbd39731672b242a8da5915ef4b5e93d72cc9a7454b5e120bd","4aeaa0d954268d4fc7179ec7578258c3459ee95b82698363e0cafb700c05181a","d0575b3ced944dc627d047c60f23d25bd3aa0c4deab69f784b9a80aae50fbd7b","6d64643c044fe534dbb2c1158409138fcded757e550c6f79eada15e69a7865bc")

    Reference: 

    https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html 


    Tags

    MalwareEarth EstriesZingdoorSnappyBee

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.