Chinese Hackers Deploy Stealthy ‘GhostSpider’ Malware to Infiltrate Global Telecoms

Chinese Hackers Deploy Stealthy 'GhostSpider' Malware to Infiltrate Global Telecoms

Chinese APT Group Salt Typhoon: New Cyber Threats Revealed

Key Findings:
– Trend Micro has discovered Salt Typhoon (also known as Earth Estries, GhostEmperor, or UNC2286) using a new backdoor called “GhostSpider”
– The group has successfully breached major US telecommunications providers including Verizon, AT&T, Lumen Technologies, and T-Mobile
– 150 victims, primarily in the D.C. area, were notified of compromised communications

Primary Targets:
– Telecommunications providers
– Government organizations
– Critical infrastructure
– Technology and consulting firms
– Chemical and transportation sectors

Notable Tools:
1. GhostSpider (New Backdoor):
– Designed for stealthy, long-term espionage
– Operates in memory only
– Uses encrypted communications
– Features modular command structure

2. Additional Arsenal:
– Masol RAT (Linux backdoor)
– Demodex (rootkit)
– SnappyBee (shared modular backdoor)
– Various other tools including SparrowDoor, CrowDoor, and ShadowPad

Attack Campaigns:
1. Alpha Campaign:
– Targeted Taiwanese government and chemical producers
– Utilized Demodex and SnappyBee

2. Beta Campaign:
– Focused on Southeast Asian telecommunications and government networks
– Employed GhostSpider and Demodex

Initial Access Methods:
– Exploitation of vulnerable public-facing endpoints
– Targeting known vulnerabilities in VPNs, firewalls, and Microsoft Exchange

Impact:
The group has successfully compromised at least 20 critical organizations globally, including access to private communications of US government officials and court-authorized wiretapping requests.

Security Implications:
Organizations are advised to implement multi-layered cybersecurity defenses due to Salt Typhoon’s sophisticated capabilities and aggressive nature.

Share This Article