Through its notable sophistication, Salt Typhoon has cemented its status as one of the most advanced cyber-espionage groups in history – a new report reveals the tactics behind its success.
The China-based cyber group tracked as Earth Estries – encompassing Salt Typhoon, FamousSparrow, GhostEmperor, and UNC2286 – has garnered a reputation for its targeted attacks on critical industries.
Salt Typhoon has risen in prominence due to its recent infiltration of commercial telecommunications infrastructure. Senators have called the hack “breathtaking,” saying it should serve as “a wake-up call” for the corporations believed to be breached, which include AT&T, Verizon, and Lumen.
A new report by Trend Micro released on Monday details some of the techniques and procedures used by what it deems “one of the most aggressive Chinese advanced persistent threat (APT) groups.”
“Earth Estries conducts stealthy attacks that start from edge devices and extend to cloud environments, making detection challenging,” the report says. “They employ various methods to establish operational networks that effectively conceal their cyber espionage activities, demonstrating a high level of sophistication in their approach to infiltrating and monitoring sensitive targets.”
While the cyber group typically targets telecommunications and government entities, Trend Micro said it has no direct proof that the malware in its report was used in the recent telecom hacks of Verizon, Lumen, T-Mobile, and AT&T, noting though that similar tools have been used to infiltrate other firms and agencies by the group.
Access and Exploitation Techniques
Researchers said that the cyber-espionage group exploits server vulnerabilities to infiltrate systems, then uses built-in tools and malware to move across networks and conduct long-term espionage. Vulnerabilities targeted by the group, according to the report, include:
- Ivanti Connect Secure VPN Exploitation (CVE-2023-46805 and CVE-2024-21887)
- Fortinet FortiClient EMS SQL Injection Vulnerability (CVE-2023-48788)
- User Portal and Webadmin Sophos Firewall Code Injection (CVE-2022-3236)
- Microsoft Exchange Chained ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
Legitimate tools such as Windows Management Instrumentation Command-line (WMIC.exe) and Microsoft’s PSTools Executable (PSEXEC.exe) are frequently used for network access, according to the report. “Backdoor” malware such as SnappyBee, Masol Remote Access Trojan (RAT), and GhostSpider are then used to spy on targets.
Ghostspider, which Trend Micro said it recently discovered after analyzing attacks on Southeast Asian telecom companies, uses a “sophisticated multi-modular backdoor designed with several layers.”
“This modular design significantly enhances the backdoor’s flexibility and adaptability, as individual components can be deployed or updated independently based on the attacker’s evolving needs,” Trend Micro explains. “Additionally, it complicates detection and analysis, as analysts are forced to piece together a fragmented view of the malware’s full functionality… [making] it challenging to construct a comprehensive understanding of its operation and overall objectives.”
Trend Micro also revealed that the Salt Typhoon group is now using a new variant of DemoDex, an advanced cyber-espionage tool. According to the report, this version prevents post-infiltration analysis by utilizing a cabinet file that deletes itself after installing the malware.
Masol RAT, an additional cross-platform backdoor, was discovered to have been used against Southeast Asian governments during incidents that occurred in 2020, the report says. “We couldn’t link MASOL RAT to any known threat group at the time due to limited information. However, this year we observed that Earth Estries has been deploying MASOL RAT on Linux devices targeting Southeast Asian government networks,” the researchers say.
Trend Micro also noted that while the group uses customized malware, it also employs malware-as-a-service (MaaS) platforms to save on time and resources while increasing the efficiency and scalability of its attacks. Notable MaaS platforms include SnappyBee, which is shared among Chinese APT groups and used by Earth Estries.
Campaign Overview
Earth Estries likely uses multiple actors to launch attacks against different geographical regions and industries, Trend Micro researchers say, noting that command and control (C&C) infrastructure used by various backdoors “seems to be managed by different infrastructure teams, further highlighting the complexity of the group’s operations.”
Most recently, Salt Typhoon was found to have attacked state entities in Southeast Asia since August, compromising Linux devices using Masol RAT – which has been in use since 2019 but has evolved over time to target different operating systems.
“According to our research, most of the victims have been compromised for several years,” the researchers say. “We believe that in the early stages, the attackers successfully obtained credentials and control target machines through web vulnerabilities and the Microsoft Exchange ProxyLogon exploit chain. We observed that for these long-term targets, the attackers primarily used the DEMODEX rootkit to remain hidden within the victims’ networks.”
Salt Typhoon has successfully compromised over 20 organizations across the telecommunications, technology, consulting, chemical, and transportation sectors in the United States, Asia-Pacific, the Middle East, and South Africa since 2023, according to the researchers.
