Challenge of Monarch: Revealing Extensive Earth Narratives Cyber Intrusions
Overview
- China-based APT group Earth Narratives has predominantly focused on crucial sectors like telecommunication and governmental organizations across the United States, Asia-Pacific, Middle East, and South Africa since 2023.
- Using sophisticated attack methods and various entry points such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, the group has impacted multiple Southeast Asian telecommunication companies and governmental bodies.
- By exploiting vulnerabilities in public servers to gain initial access, Earth Narratives maneuver through networks using built-in binaries for lateral progression, deploying malware for prolonged intelligence gathering.
- Over 20 organizations have fallen victim to the group, spanning sectors like telecommunication, technology, advisory, chemical, transport industries, governmental units, and non-governmental bodies in various nations.
- Earth Narratives employs a complex command and control (C&C) framework managed by diversified teams, often intersecting with tactics of other recognized Chinese APT groups, suggesting potential use of shared tools from service providers offering malware tools.
Starting from 2023, Earth Narratives (also known as Salt Typhoon, FamousSparrow, GhostEmperor, and UNC2286) has appeared as one of the most forceful Chinese advanced persistent threat (APT) groups, targeting primarily essential sectors such as telecommunication and governmental bodies in the United States, Asia-Pacific, Middle East, and South Africa. In this blog post, we will delve into their progressing attack strategies and dissect the rationale guiding their actions, offering insights into their prolonged directed assaults.
One of the key discoveries from our recent probe is the unveiling of a fresh backdoor, GHOSTSPIDER, identified during attacks on Southeast Asian telecommunication firms. We will delve into the technical aspects of GHOSTSPIDER, its influence across diverse nations, and intriguing revelations from our monitoring of its command-and-control (C&C) infrastructure. Additionally, we have stumbled upon the group’s use of the modular backdoor SNAPPYBEE (dubbed Deed RAT), another tool shared among Chinese APT units.
Moreover, we have ascertained that Earth Narratives employs a cross-platform backdoor, initially surfaced during our investigation of governmental incidents in Southeast Asia in 2020. Named MASOL RAT due to its PDB string, initially, we couldn’t link MASOL RAT to any recognized threat group due to limited data. However, this year, we have noted Earth Narratives deploying MASOL RAT on Linux systems targeting governmental networks in Southeast Asia. More insights regarding MASOL RAT will be provided in this blog entry.
Recently, there have been observations that Microsoft has tracked the APT groups FamousSparrow and GhostEmperor under the alias Salt Typhoon. Nonetheless, there isn’t enough evidence to confirm if Earth Narratives is connected to the recent reports on a latest Salt Typhoon cyberattack, as detailed reports on Salt Typhoon are lacking. At present, we can only validate that some of Earth Narratives’ methods, approaches, and practices overlap with those of FamousSparrow and GhostEmperor.
Motives
Observations indicate that since 2020, Earth Narratives has been executing extended attacks directed at governments and internet service providers. In mid-2022, it was noticed that the assailants expanded their focus to encompass service providers catering to governments and telecommunication companies. For instance, in 2023, it was identified that the attackers also targeted advisory agencies and NGOs aligned with the United States federal government and military. This strategy aids in enhancing intelligence gathering efficiency and accelerating attacks on primary targets.
An interesting find reveals assailants not just targeting crucial services (like database servers and cloud servers) used by telecommunication firms but also their vendor network. The deployment of the DEMODEX rootkit on vendor systems was discovered. This vendor serves as a prime contractor for the primary telecommunication service provider in the region, suggesting that this method is employed to ease access to more targets.
Profiles of Affected Parties
Evidence suggests that Earth Narratives effectively infiltrated over 20 entities across sectors encompassing telecommunication, technology, advisory, chemical, transport industries, governmental bodies, and NGOs. Victims were identified from multiple countries, including:
- Afghanistan
- Brazil
- Eswatini
- India
- Indonesia
- Malaysia
- Pakistan
- The Philippines
- South Africa
- Taiwan
- Thailand
- United States
- Vietnam
About Author
