Malware linked to Salt Typhoon used to hack telcos around the world

Those with firsthand knowledge of Salt Typhoon’s hack of several U.S. telecommunications companies have called the group’s actions some of the most sophisticated cyber-espionage efforts they have ever seen. A prominent security vendor may have unearthed some malware that shows why. 

Trend Micro released a report Monday that gives details on the tactics, techniques and procedures used by Salt Typhoon, which the company referred to as one of “the most aggressive Chinese advanced persistent threat (APT) groups” currently in operation. 

While the company explicitly states that it does not have any evidence the malware detailed in the report was used in the telecom hacks, Trend Micro researchers write that several pieces of malware used by the group have been used to infiltrate other telecommunications companies and government entities around the world. Tracked as “Earth Estries,” Trend Micro says this group, which is also known as FamousSparrow, GhostEmperor, and UNC2286, has used the malware in the U.S., Asia-Pacific, Middle East, and South Africa.

The report focuses on how the group gains access, what malware is deployed, and how it stays hidden on infiltrated systems. The group capitalizes on several known vulnerabilities, including:

From there, Trend Micro says the group likes to use legitimate tools like Windows Management Instrumentation Command (WMIC.exe) or PsExec to penetrate further into networks. 

Once inside, the group uses malware described as “backdoors,” which Trend Micro refers to as GhostSpider, SnappyBee, and Masol RAT. Each of these tools exhibits a high level of sophistication, enabling the group to stay hidden within compromised networks. GhostSpider in particular is a multi-modular backdoor designed to deploy various components for specific functions, enhancing its adaptability and making it harder to detect.

The company also details the group’s intricate command and control infrastructure, which Trend Micro says is managed by different specialized teams. This setup allows the group to carry out different tasks, is crucial to allowing them to run several missions at once, and provides additional resilience. 

The ability to remain in networks has been a key point in why government officials are increasingly concerned about the intrusion on U.S. telecom networks. Sen. Mark Warner, D-Va., told the Washington Post last week that the hack is “the worst telecom hack in our nation’s history – by far” and the attackers are still in the systems. 

While these TTPs can be considered highly sophisticated, the threat group isn’t creating all of its malware from scratch. Trend Micro says the group takes advantage of malware-as-a-service (MaaS) platforms to enhance their strategies, using these services to deploy a variety of malicious tools while saving time and resources. This approach allows them to focus on planning and executing sophisticated attacks while leveraging the latest malware technology.

The espionage campaign reportedly targeted the phones of top members of the Donald Trump campaign — including the president-elect himself — and top U.S. officials. While few details have been made public, a slate of congressional panels have been briefed on the campaign’s details. 

You can read the full report on Trend Micro’s research blog.