{"id":6419,"date":"2024-11-26T14:13:20","date_gmt":"2024-11-26T20:13:20","guid":{"rendered":"https:\/\/www.darkreading.com\/application-security\/salt-typhoon-malware-arsenal-ghostspider"},"modified":"2024-11-26T14:13:20","modified_gmt":"2024-11-26T20:13:20","slug":"salt-typhoon-builds-out-malware-arsenal-with-ghostspider","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/11\/26\/salt-typhoon-builds-out-malware-arsenal-with-ghostspider\/","title":{"rendered":"Salt Typhoon Builds Out Malware Arsenal With GhostSpider"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

The Chinese threat actor known as Salt Typhoon has been spying on some high-value government and telecommunications organizations for several years now, recently debuting fresh backdoor malware, dubbed GhostSpider.<\/span><\/p>\n

Salt Typhoon (aka <\/span>Earth Estries<\/a><\/span>, FamousSparrow, GhostEmperor, and UNC2286) is among the People’s Republic’s most cutting advanced persistent threats (APT). In <\/span>a campaign stretching back to 2023<\/a><\/span>, it has compromised more than 20 organizations. Those organizations tend to be of the highest order, from all corners of the globe, and their breaches have in some cases remained undetected for years. Most recently, it’s been known for targeting <\/span>US telcos, including T-Mobile USA<\/a><\/span>, and <\/span>ISPs in North America<\/a><\/span>.<\/span><\/p>\n

Salt Typhoon’s Arsenal of Malware<\/h2>\n

With access to a targeted network, the APT that Trend Micro calls Earth Estries can deploy any one of its varied and powerful payloads, which it is consistently building out, according to a new analysis from the firm.<\/span><\/p>\n

There’s Masol RAT \u2014 a cross-platform tool it’s used against Linux servers from Southeast Asian governments \u2014 and the modular SnappyBee (aka Deed RAT). The newly discovered GhostSpider, meanwhile, is a highly modular backdoor, adjustable for any particular attack scenario, according to Jon Clay, Trend Micro’s vice president of threat intelligence.<\/span><\/p>\n

Related:<\/span>‘RomCom’ APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor<\/a><\/p>\n

“So, I can enact a specific module to do one specific thing, and it only does that one thing, and then if I need something else, I enact another module. And this does make it much more difficult for defenders and researchers to identify what’s what,” Clay says, because one instance of GhostSpider might look entirely different from another.<\/span><\/p>\n

Besides its backdoors, the group also possesses a rootkit called Demodex, and Trend Micro has speculated that it might even have used <\/span>Inc ransomware<\/a><\/span> in some of its operations.<\/span><\/p>\n

The diversity of Salt Typhoon’s malware may be connected to the very nature of how it operates. According to the researchers, it is a structured organization of distinct, specialized teams. Its various backdoors, for example, are managed by different “infrastructure teams.” The tactics, techniques, and procedures (TTPs) utilized in different attacks might vary significantly, with unique teams focusing in different geographic regions and industries \u2014 another reason why pinning down the Chinese APT has been so difficult over the years. “They are very sophisticated [at] gaining access, maintaining access, maintaining persistence, and wiping their tracks when they have done something to make it look like they were never there,” Clay says.<\/span><\/p>\n

Related:<\/span>OpenSea Phishers Aim to Drain Crypto Wallets of NFT Enthusiasts<\/a><\/p>\n

How Estries Gains Entry<\/h2>\n

Earth Estries had been <\/span>conducting long-term espionage attacks against governments<\/a><\/span> and other targets since 2020. Around the middle of 2022, though, a switch flipped.<\/span><\/p>\n

“In the past, they were doing a lot of phishing of employees,” Clay recalls. “Now they’re targeting Internet-facing devices using n-day vulnerabilities, finding any open ports [or] protocols, or applications that are running that they can exploit in order to gain access.”<\/span><\/p>\n

“N-day” refers to recently disclosed bugs that organizations might not have had a chance to patch yet. The group’s favorite vulnerabilities have been dangerous (but now well-documented), including: <\/span><\/p>\n

\n