FacebookTwitterLinkedIn

Salt Typhoon Targets Telecommunications With GhostSpider Malware

Karolis Liucveikis Written by on

According to Trend Micro, Chinese state-sponsored threat actor Salt Typhoon, also tracked as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, has been seen deploying a new backdoor malware. Called "GhostSpider" by Trend Micro researchers, the malware has been used in attacks against Southeast Asian telecommunications companies.

Salt Typhoon Targets Telecommunications With GhostSpider Malware

In Trend Micro's report detailing the new malware and tactics used in its deployment, it was also discovered another cross-platform remote access trojan (RAT) was used.

Researchers stated,

Furthermore, we discovered that Earth Estries uses another cross-platform backdoor, which we initially identified during our investigation of Southeast Asian government incidents in 2020. We named it MASOL RAT based on its PDB string. We couldn’t link MASOL RAT to any known threat group at the time due to limited information. However, this year we observed that Earth Estries has been deploying MASOL RAT on Linux devices targeting Southeast Asian government networks. More details about MASOL RAT will be provided in this blog entry.

Salt Typhoon has been actively targeting telecommunications companies globally, including Internet service providers, since approximately 2020. By 2022, the group began focusing on telecoms companies that provide services to governments and associated departments.

Threat actors targeted critical services, such as database servers and cloud servers, used by the telecommunications company and their vendor network. In one instance, Trend Micro discovered that they implanted the DEMODEX rootkit on vendor machines.

This vendor is a primary contractor for the region's main telecommunications provider, and we believe that attackers use this approach to facilitate access to more targets. In the latest campaign, victim targets spammed the entire globe.

Given such a wide scope of attack, researchers believe that while the attacks were carried out under the umbrella of the Salt Typhoon, they were likely carried out by different threat actors. Trend Micro has broadly separated the attack campaign into Campaign Alpha and Campaign Beta, the latter of which saw the deployment of GhostSpider and will be the focus of this article.

Summarizing Campaign Beta, researchers stated,

...we will introduce Earth Estries’ [Salt Typhoon] long-term attacks on telecommunications companies and government entities. According to our research, most of the victims have been compromised for several years. We believe that in the early stages, the attackers successfully obtained credentials and control target machines through web vulnerabilities and the Microsoft Exchange ProxyLogon exploit chain. We observed that for these long-term targets, the attackers primarily used the DEMODEX rootkit to remain hidden within the victims' networks. Notably, in a recent investigation into attacks on telecommunications companies in Southeast Asia, we discovered a previously undisclosed backdoor; we have named it GHOSTSPIDER.

GhostSpider

GhostSpider is described as a sophisticated multimodular backdoor designed with several layers to load different modules based on specific purposes. Communication between the malware and the attacker's command-and-control server uses a custom protocol protected by Transport Layer Security (TLS), ensuring secure communication.

Like other advanced malware strains, the actual malware component is not simply dropped; installation is completed in stages. Initially, the threat actor installs the first-stage stager via regsvr32.exe, which installs a DLL as a service. The stager is designed to check for a specific hostname hard-coded in the DLL, ensuring that it only runs on the targeted machine.

Once initial access is gained and the stager installed, the next stage begins. This stage is referred to as the beacon loader, where the threat actor installs a legitimate executable file alongside a malicious DLL file for DLL search order hijacking. As mentioned above, the malware uses a custom communication protocol to receive commands from the command-and-control server.

Upon analyzing the beacon, researchers discovered that,

The GHOSTSPIDER beacon is segmented into distinct delegates, each tailored to specific functions. These modules are retrieved from the C&C server and are reflectively loaded into memory as dictated by specific command codes…This modular design significantly enhances the backdoor's flexibility and adaptability, as individual components can be deployed or updated independently based on the attacker’s evolving needs. Additionally, it complicates detection and analysis, as analysts are forced to piece together a fragmented view of the malware’s full functionality. By isolating different capabilities across separate modules, GHOSTSPIDER not only reduces its footprint, but also makes it challenging to construct a comprehensive understanding of its operation and overall objectives.

When these attack campaigns were attributed to Salt Typhoon command-and-control infrastructure, overlaps were discovered between known previous campaigns and across multiple victim infrastructures. Tactics and procedure overlaps were also found across attack campaigns that have been previously attributed to the Salt Typhoon.  

In conclusion, it was noted that Salt Typhoon is one of the most aggressive Chinese APT groups, primarily targeting critical industries such as telecommunications and government sectors. Their notable TTPs include exploiting known vulnerabilities and using widely available shared tools like SnappyBee.

Salt Typhoon conducts stealthy attacks that start from edge devices and extend to cloud environments, making detection challenging. They employ various methods to establish operational networks that effectively conceal their cyber espionage activities, demonstrating a high level of sophistication in infiltrating and monitoring sensitive targets.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog