Chinese Hackers Use GHOSTSPIDER Malware to Hack Telecoms Across 12+ Countries
The China-linked threat actor known as Earth Estries has been observed using a previously undocumented backdoor called GHOSTSPIDER as part of its attacks targeting Southeast Asian telecommunications companies.
Trend Micro, which described the hacking group as an aggressive advanced persistent threat (APT), said the intrusions also involved the use of another cross-platform backdoor dubbed MASOL RAT (aka Backdr-NQ) on Linux systems belonging to Southeast Asian government networks.
In all, Earth Estries is estimated to have successfully compromised more than 20 entities spanning telecommunications, technology, consulting, chemical, and transportation industries, government agencies, and non-profit organization (NGO) sectors.
Victims have been identified across over a dozen countries, including Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the U.S., and Vietnam.
Earth Estries shares overlap with clusters tracked by other cybersecurity vendors under the names FamousSparrow, GhostEmperor, Salt Typhoon, and UNC2286. It’s said to be active since at least 2020, leveraging a wide range of malware families to breach telecommunications and government entities in the U.S., the Asia-Pacific region, the Middle East, and South Africa.
According to a report from The Washington Post last week, the hacking group is believed to have penetrated more than a dozen telecom companies in the U.S. alone. As many as 150 victims have been identified and notified by the U.S. government.
The infection chain of DEMODEX rootkit |
Some of the notable tools in its malware portfolio include the Demodex rootkit and Deed RAT (aka SNAPPYBEE), a suspected successor to ShadowPad, which has been widely used by several Chinese APT groups. Also put to use by the threat actor backdoors and information stealers like Crowdoor, SparrowDoor, HemiGate, TrillClient, and Zingdoor.