Novel GhostSpider malware part of Salt Typhoon’s attack arsenal

Telecommunications firms and government organizations across Southeast Asia have been targeted by Chinese state-backed threat operation Salt Typhoon, also known as UNC2286, GhostEmperor, and Earth Estries, with attacks involving the new modular GhostSpider backdoor and the Demodex rootkit as part of a long-term cyberespionage campaign, reports BleepingComputer.

After achieving initial network access through the exploitation of Ivanti Connect Secure VPN, Fortinet FortiClient EMS, Sophos Firewall, and Microsoft Exchange vulnerabilities, Salt Typhoon proceeds with the deployment of GhostSpider, which ensures stealth through its expansive module command support, and other backdoors, according to a Trend Micro analysis. Additional tools leveraged by Salt Typhoon include the Linux backdoor Masol RAT, remote access backdoor SparrowDoor, data exfiltrating malware CrowDoor, NeoReGeorg tunneling tool, Cobalt Strike, open-source reverse proxy tool frpc, and the SnappyBee and ShadowPad payloads shared with other Chinese threat groups. Salt Typhoon's extensive toolset should prompt the implementation of improved cyber defenses, said Trend Micro.