Earth Estries alive and kicking

Earth Estries, also known as Salt Typhoon and a few other names, is a China-nexus APT actor, and is known to have used multiple implants such as Snappybee (Deed RAT), ShadowPad, and several more.

In their latest campaign, the actor leverages one of the latest WinRAR vulnerabilities that will ultimately lead to running shellcode.

The execution flow is as follows:

That is all. Find below indicators of compromise and Yara rules.

Indicator	Type	Purpose
f8c119bfc057dc027e6c54b966d168ee1ef38c790e581fb44cf965ca0408db1d	SHA256 Hash	CAB file storing ccwkrlib.dll
94aa6619c61d434e96ca8d128731eb7ee81e399a59a17f751a31b564a7f3a722	SHA256 Hash	Encrypted stub
3c84a5255e0c08e96278dea9021e52c276b4a6c73af9fa81520aefb4a8040a8b	SHA256 Hash	CAB file storing RES.RC
3822207529127eb7bdf2abc41073f6bbe4cd6e9b95d78b6d7dd04f42d643d2c3	SHA256 Hash	Dropper
64ca55137ba9fc5d005304bea5adf804b045ec10c940f6c633ffde43bc36ff3f	SHA256 Hash	Fake PDF with ADS stream
6c6af015e0bfec69f7867f8c957958aa25a13443df1de26fa88d56a240bdd5ad	SHA256 Hash	Hijacked DLL, bloated
5e062fee5b8ff41b7dd0824f0b93467359ad849ecf47312e62c9501b4096ccda	SHA256 Hash	Hijacked DLL
3b47df790abb4eb3ac570b50bf96bb1943d4b46851430ebf3fc36f645061491b	SHA256 Hash	Downloads CommonSDK.exe
ccwkrlib.dll	Filename	Hijacked DLL
RES.RC	Filename	Encrypted stub
CommonSDK.exe	Filename	Fake PDF with ADS stream
doc20250921133625.pdf	Filename	Fake PDF with ADS stream
startup.bat	Filename	Downloads CommonSDK.exe
WindowsTarys	Filename	Scheduled task
38[.]54[.]105[.]114	IP Address	Download server
mimosa[.]gleeze[.]com	Domain	C2 Server

 

Associated Yara rules are available on my Github: 

https://github.com/bartblaze/Yara-rules 

Rule names:

• EE_Loader 
• EE_Dropper 
• WinRAR_ADS_Traversal

References / Resources:

WinRAR CVE:

https://nvd.nist.gov/vuln/detail/CVE-2025-8088

https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/

Earth Estries:

https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_1_5_leon-chang_theo-chen_en.pdf 

https://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html  

https://malpedia.caad.fkie.fraunhofer.de/actor/earth_estries 

https://malpedia.caad.fkie.fraunhofer.de/actor/ghostemperor

Steam Phishing: popular as ever

A month or so ago a friend of mine received the following message on Steam from someone in their Friends list (they were already friends):

Figure 1 - 'this is for you' 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The two links are different and refer to a Gift Card on Steam's community platform. As you might have noticed, the domain is not related to Steam at all, but rather is an attempt at phishing.

 The URLs are:

stermcormmunity[.]com/gift-card/
steamcoummuniity[.]com/gift-card/

The differences are subtle enough that you may just miss it. When you click on the link, you are redirected to a 'Summer Gift Marathon'.

Figure 2 - Fake Steam website

Once you log in to the fake Steam website, your credentials are stolen and will be used to spread more phishing, likely steal your inventory items and so on.

Other phishing sites related to this campaign are:

steam-pubgvn[.]top
steamauthconnection[.]store
steamcommnunity[.]com
steamcommunitay[.]com
steamcommunitfy[.]com
steamcommunitihy[.]icu
steamcommunitiny[.]com
steamcommunitweya[.]art
steamcommunl1ty[.]com
steamcommunllity[.]com
steamcommunty[.]ru
steamcommununity[.]cam
steamcommunutiy[.]com
steamcomnunityty[.]com
steamcomnunlity[.]com
steamcomnuty[.]com
steamcomrnnunlty[.]com
steamcomun1ty[.]com
steamcomuniry[.]com
steamconmunify[.]com
steamconnection[.]store
steamcornmunlty[.]ru
steamcornrnunlty[.]ru
steamlinks-short[.]com
stearncommunjty[.]com
stearncommunnity[.]com
stearncomnunity[.]com
stearncornnunity[.]com
steeamcommunitty[.]com
unevwsteeamcommunitty[.]com 

New ones do pop up from time to time, so stay vigilant. 

Tips  

Only log in on the legitimate Steam community website, this being https://steamcommunity.com/. An extra tip is to bookmark the legitimate site, so even if you do get a message like this, you can go straight to your bookmark and search what you need from there.

 

If someone new tries to add you as a Friend and immediately sends a message like the above, alarm bells should start ringing.

 

If someone already on your Friends list suddenly sends a random message with an even more random link out of the blue, cue the alarm bells again. 

 

If you want to check the website out in a safe manner, then you can use URLscan.io, which will give you a verdict of the website as well as an image preview. In addition, you can use VirusTotal to review a website's reputation.

 

Note that an 'all clean' does not necessarily mean it is. Caution above all! 

 

Follow Steam's Account Security Recommendations to stay safe.

 

 

Microsoft Word and Sandboxes

Today's post is a brief one on some Microsoft Word and sandbox detection / discovery / fun.

Collect user name from Microsoft Office

Most sandboxes will trigger somehow or something if a tool or malware tries to collect system information or user information. But what if we collect the user name via the registry and more specifically, what user info Microsoft Office sees?

This information is stored in the Current User hive, Software\Microsoft\Office\Common\UserInfo.

10-second code and we can whip up:

 

 

 

 

Text form:

$userName = (Get-ItemProperty -Path "HKCU:\Software\Microsoft\Office\Common\UserInfo").UserName

Start-Process -FilePath "notepad.exe" -ArgumentList $userName

 

And we get something like:

 

 

 

 

 

 

 

 

 

 

 

 

and the process tree:

 

 

 

 

 

 

 

Some sandboxes had a username of "Admin", "admin" or a completely random name. 

 

In short, it's a potential technique for more stealth reconaissance that may not trigger a sandbox or detection mechanism.

Run a Microsoft Word doc with.. .asd extension

When Microsoft Word crashes, it will (usually) attempt to create a backup copy of all your opened documents. It typically saves these backups as .wbk (Word Backup) or .asd (Autosave or Autorecover) files.

These will be saved in one of these directories in normal circumstances:

• C:\Users\USERNAME\AppData\Local\Microsoft\Word
• C:\Users\USERNAME\AppData\Roaming\Microsoft\Word
  
• C:\Users\USERNAME\AppData\Local\Temp
• C:\Users\USERNAME\\AppData\Local\Microsoft\Office\UnsavedFiles

Most sandboxes however will be able to open the file just fine, but not all...:

 

 

 

 

I haven't seen much use of actual .asd files, likely as the documents will need to be loaded from one of the above directories, however... after crafting your malicious document, you can simply rename it from badfile.docx to badfile.asd, and it will run fine.

It seems at least 1 actor has used an .asd extension before, as reported on by Didier Stevens:

https://isc.sans.edu/diary/CrowdStrike+Outage+Themed+Maldoc/31116

In short, it's another way of evading sandboxes or other potential detection mechanisms thay may not support these .asd or .wbk extensions or even consider them harmless.

New North Korean based backdoor packs a punch

 

In recent months, North Korean based threat actors have been ramping up attack campaigns in order to achieve a myriad of their objectives, whether it be financial gain or with espionage purposes in mind. The North Korean cluster of attack groups is peculiar seeing there is quite some overlap with one another, and it is not always straightforward to attribute a specific campaign to a specific threat actor.

In this research paper we analyse a new threat campaign, discovered in late May, and which features multiple layers and ultimately delivers a seemingly new and previously undocumented backdoor.

The threat campaign is specifically focused on Aerospace and Defense companies: sectors appealing to multiple threat actors, but of particular interest to North Korean threat groups in other recent campaigns. We have named this threat campaign “Niki” as it refers to the potential malware developer(s).

Read the report here: https://cyberarmor.tech/new-north-korean-based-backdoor-packs-a-punch/

Direct link to report, PDF: https://cyberarmor.tech/wp-content/uploads/2024/06/New-North-Korean-based-backdoor-packs-a-punch.pdf