GhostSpider: New Addition to Salt Typhoon’s Malware Toolkit

November 26, 2024

The Advanced Persistent Threat (APT) group, Salt Typhoon, also known as Earth Estries, is recognized as one of China's most effective cyber threat actors. They have been involved in long-term espionage activities against telecommunications companies, Internet Service Providers (ISPs), and governments, often remaining undetected for years. The group has recently introduced a new backdoor malware, GhostSpider, into their arsenal.

Salt Typhoon, also known under other aliases such as FamousSparrow, GhostEmperor, and UNC2286, is one of the most sophisticated APTs from the People's Republic of China. Since 2023, the group has successfully compromised more than 20 high-profile organizations globally, with some breaches going unnoticed for years. The group has recently targeted US telecommunications companies, including T-Mobile USA, and ISPs in North America.

The group's diverse and potent payloads, including the Masol RAT and SnappyBee, have been used against Linux servers from Southeast Asian governments. The newly discovered GhostSpider is a highly modular backdoor, adaptable for any attack scenario. Jon Clay, Trend Micro's vice president of threat intelligence, explained, 'So, I can enact a specific module to do one specific thing, and it only does that one thing, and then if I need something else, I enact another module. And this does make it much more difficult for defenders and researchers to identify what's what.'

In addition to backdoors, the group also has a rootkit called Demodex. The group's diverse malware range may be linked to its operational structure. Researchers suggest that Salt Typhoon is an organized entity with distinct, specialized teams. Different infrastructure teams manage the various backdoors. The tactics, techniques, and procedures (TTPs) used in different attacks can vary significantly, with unique teams focusing on different geographic regions and industries.

The group has been conducting long-term espionage attacks against governments and other targets since 2020. In 2022, the group shifted its tactics from phishing employees to targeting Internet-facing devices using n-day vulnerabilities, which refer to recently disclosed bugs that organizations might not have had a chance to patch yet. The group's favorite vulnerabilities include CVE-2024-48788, a SQL injection bug affecting the Fortinet Enterprise Management Server (EMS), CVE-2022-3236, a code injection issue in Sophos Firewalls, and CVE-2023-46805 and CVE-2024-21887, which pair to allow privileged, arbitrary command execution in Ivanti's Connect Secure VPN.

The group's victims have been spread across four continents, including countries like Afghanistan, India, Eswatini, and the US. The main focus has been on Southeast Asia, targeting organizations from various sectors including telecommunications, technology, consulting, chemical, transportation, and nonprofit sectors, with a particular emphasis on government agencies. Some of these organizations serve as stepping stones for attacking more significant government agencies.

Related News

• Cisco Patches Severe Vulnerability in URWB Access Points
• Ivanti Addresses Critical RCE Vulnerability in Endpoint Management Software
• Ivanti Alerts Customers to Patch Critical Authentication Bypass Vulnerability in Virtual Traffic Manager
• CISA and FBI Call on Developers to Eliminate OS Command Injection Vulnerabilities
• CISA Confirms Data Breach in Chemical Security Assessment Tool: Potential Exposure of Sensitive Information

Latest News

• Zyxel Firewalls Exploited in Recent Ransomware Attacks
• Hackers Exploit Avast Anti-Rootkit Driver to Disable Security Defenses
• Russian Hackers Breach U.S. Firm via 'Nearest Neighbor Attack' Using WiFi
• APT-K-47 Utilizes Hajj-Related Deception to Distribute Enhanced Asyncshell Malware
• Palo Alto Networks Firewalls Compromised by Hackers Exploiting Recent Vulnerabilities