Breaking down earth estries’ persistent ttps in prolonged cyber operations

Intel Name: Breaking down earth estries’ persistent ttps in prolonged cyber operations

Date of Scan: November 13, 2024

Impact: Medium

Summary:
“Breaking Down Earth Estries’ Persistent TTPs in Prolonged Cyber Operations” details the sophisticated tactics used by the Earth Estries cyber group in their long-term campaigns. They use two primary attack chains: one leveraging PsExec and tools like Trillclient, Hemigate, and Crowdoor via CAB files, and another using malware like Zingdoor and SnappyBee delivered through cURL downloads. Both chains exploit vulnerabilities in systems like Microsoft Exchange servers and network management tools. Earth Estries maintains persistence through backdoors, continuous tool updates, and lateral movement. They exfiltrate data using Trillclient and cURL, often sending stolen information to anonymized file-sharing services while using proxies to obscure their activities.

More Details