2023-08-30 Earth Estries Targets Government, Tech for Cyberespionage

📃Title: Earth Estries Targets Government, Tech for Cyberespionage
📅Date: 2023-08-30
🔗References:

• https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/h/earth-estries-targets-government-tech-for-cyberespionage/IOCs-earth-estries-targets-government-tech-for-cyberespionage.txt
• https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html

Description

Earth Estries is working with high-level resources and functioning with sophisticated skills and experience in cyberespionage and illicit activities. The threat actors also use multiple backdoors and hacking tools to enhance intrusion vectors. To leave as little footprint as possible, they use PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism. In addition, the actors abuse public services such as Github, Gmail, AnonFiles, and File.io to exchange or transfer commands and stolen data.

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• target: targeted
• MY-relevancy: relevant

🔖MISP Galaxies:

• producer Trend-Micro
• target-information=“Taiwan”
• target-information=“Philippines”
• target-information=“South Africa”
• target-information=“United States”
• target-information=“Malaysia”
• target-information=“Germany”
• threat-actor Earth-Estries
• malpedia=“Cobalt Strike”
• malpedia=“DracuLoader”
• malpedia=“HemiGate”
• sector=“Government, Administration”
• sector=“Technology”
• mitre-attack-pattern=[‘T1087’, ‘T1027.010’, ‘T1574.002’, ‘T1071.004’, ‘T1482’, ‘T1562.010’, ‘T1567.002’, ‘T1070’, ‘T1056.001’, ‘T1036.004’, ‘T1036.005’, ‘T1059.001’, ‘T1547.001’, ‘T1021.002’, ‘T1053.005’, ‘T1113’, ‘T1569.002’, ‘T1027.002’, ‘T1134.001’, ‘T1078’, ‘T1071.001’, ‘T1047’, ‘T1543.003’]

MISP event uuid: 6cf62c7f-1276-41bf-aabd-70eeb78f8c59

Indicator of Compromise (IoCs)

type,value,comment
sha256, cd2b703e1b7cfd6c552406f44ec05480209003789ad4fbba4d4cffd4f104b0a0, 'No sample in VT\r\nLast check:22/02/2025'
sha256, 0eaa67fe81cec0a41cd42866df1223cb7d2b5659ab295dffe64fe9c3b76720aa, 'No sample in VT\r\nLast check:22/02/2025'
sha256, e6f9756613345fd01bbcf28eba15d52705ef4d144c275b8cfe868a5d28c24140, 'No sample in VT\r\nLast check:22/02/2025'
sha256, c7023183e815b9aff68d3eba6c2ca105dbe0a9b05cd209908dcee907a64ce80b, 'No sample in VT\r\nLast check:22/02/2025'
sha256, 1a9e0c7c88e7a8b065ec88809187f67d920e7845350d94098645e592ec5534f6, 'No sample in VT\r\nLast check:22/02/2025'
sha256, efb98b8f882ac84332e7dfdc996a081d1c5e6189ad726f8f8afec5d36a20a730, 'No sample in VT\r\nLast check:22/02/2025'
sha256, 8476ad68ce54b458217ab165d66a899d764eae3ad30196f35d2ff20d3f398523, 'No sample in VT\r\nLast check:22/02/2025'
sha256, dff1d282e754f378ef00fb6ebe9944fee6607d9ee24ec3ca643da27f27520ac3, 'No sample in VT\r\nLast check:22/02/2025'
sha256, 42d4eb7f04111631891379c5cce55480d2d9d2ef8feaf1075e1aed0c52df4bb9, 'No sample in VT\r\nLast check:22/02/2025'
sha256, 45b9204ccbad92e4e5fb9e31aab683eb5221eb5f5688b1aae98d9c0f1c920227, 'No sample in VT\r\nLast check:22/02/2025'
sha256, 49a0349dfa79b211fc2c5753a9b87f8cd2e9a42e55eca6f350f30c60de2866ce, 'No sample in VT\r\nLast check:22/02/2025'
sha256, 28109c650df5481c3997b720bf8ce09e7472d9cdb3f02dd844783fd2b1400c72, 'No sample in VT\r\nLast check:22/02/2025'
sha256, a8dd0ca6151000de33335f48a832d24412de13ce05ea6f279bf4aaaa2e5aaecb, 'No sample in VT\r\nLast check:22/02/2025'
sha256, deaa3143814c6fe9279e8bc0706df22d63ef197af980d8feae9a8468f441efec, 'No sample in VT\r\nLast check:22/02/2025'
sha256, b6481e0edc36a0472ab0ce7d0817f1773c4af9307ae60890a667930558a762ff, 'No sample in VT\r\nLast check:22/02/2025'
sha256, f6223d956df81dcb6135c6ce00ee14d0efede9fb399b56d2ee95b7b0538fe12c, 'No sample in VT\r\nLast check:22/02/2025'
hostname, cloudlibraries.global.ssl.fastly.net, 'C&C server'
hostname, shinas.global.ssl.fastly.net, 'C&C server'
hostname, zmailssl3.global.ssl.fastly.net, 'C&C server'
hostname, nx2.microware-help.com, 'C&C server'
hostname, east.smartpisang.com, 'C&C server'
hostname, cdn728a66b0.smartlinkcorp.net, 'C&C server'
hostname, cdn-6dd0035.oxcdntech.com, 'C&C server'
hostname, cdn-7a3d.vultr-dns.com, 'C&C server'
hostname, web9a78bc52.trhammer.com, 'C&C server'
hostname, access.trhammer.com, 'C&C server'
hostname, ms101.cloudshappen.com, 'C&C server'
url, https://103.159.133.205/index.asp?id=432, 'C&C server'
ip-dst, 96.44.160.181, 'Download site'

Full IOCs available in Rectifyq's MISP```