Salt Typhoon Targets Telecoms With GhostSpider

SALT TYPHOON Related Families: Demodex
Verticals Targeted: Telecommunications

Executive Summary

Salt Typhoon, a China nexus APT group, was recently observed using GhostSpider backdoor to target telecommunications companies.

Key Takeaways

Salt Typhoon, a China nexus APT group, was recently observed using GhostSpider backdoor to target telecommunications companies.
GhostSpider is a backdoor that is multi-modular and sophisticated, making it flexible, difficult to detect, and difficult to analyze.
According to industry experts, the group’s activity is highly sophisticated and organized cyber espionage activity.
This sophisticated group potentially accessed wiretapping systems used by US law enforcement agencies, associated with multiple major US carriers.

What is GhostSpider?

Salt Typhoon, a China nexus APT group, was recently observed using GhostSpider backdoor to target telecommunications companies. According to industry experts, the group’s activity is highly sophisticated and organized cyber espionage activity. This sophisticated group potentially accessed wiretapping systems used by US law enforcement agencies associated with multiple major US carriers. T-Mobile is thought to be among Salt Typhoon’s list of victims. Trend Micro reported on this activity.

GhostSpider is a backdoor that is multi-modular and sophisticated. It uses a custom protocol protected by TLS to ensure secure communication with the C2. According to Trend Micro, the infection chain begins with the stager regsvr32.exe, which is used to install a DLL as a service. When the stager is executed, it connects to the C2 and receives a DLL module to load and execute in memory. This module gathers information about the target machine and sends it back to the C2. The stager then awaits follow-on payloads.

The next major phase of the infection chain involves deployment of the beacon loader, which is a GhostSpider module that, in turn, launches the beacon payload in memory. The beacon is capable of several commands, including “upload”, “create”, “normal”, “close”, “update”, and “Heartbeat”. The beacon is segmented into distinct parts that each play a specific role. The modules are retrieved from the C2 and reflectively loaded into memory using the beacon’s commands. This allows the threat actors to tailor attacks to the target, making GhostSpider a flexible and adaptable backdoor. It also makes detection and analysis more difficult.

Who is Salt Typhoon?

Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, is a China nexus threat actor group that bears the hallmarks of being state-sponsored and highly sophisticated. The group has been active since at least 2020 and is known to target critical entities such as those in the government and telecommunications sectors, as well as their vendor networks. Other sectors targeted by the group include entities in the technology consulting, chemical, and transportation verticals, as well as NGOs. Most of their targets have been located in the US, APAC, the Middle East, and South Africa.

Some of Salt Typhoon’s tools include SnappyBee (DeedRAT), GhostSpider, Masol RAT, SparrowDoor, CrowDoor, ShadowPad, NeoReGeorg, frpc, Cobalt Strike, and Demodex rootkit. The group is known to exploit multiple CVEs including CVE-2023-46805, CVE-2024-21887, CVE-2023-48788, CVE-2022-3236, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Due to the precision of the group’s attacks and their recent increase in activity, PolySwarm analysts consider Salt Typhoon to be a sophisticated and emerging threat.