In August 2023, TrendMicro published a blog post announcing a new sophisticated Advanced Persistent Threat (APT) campaign known as “Earth Estries.” The campaign specifically targeted government-related organizations and technology companies in the Philippines, Taiwan, South Africa, Germany, and the United States.

From this information and open source intelligence, we identified several characteristics within the attack infrastructure. These included the watermark of Cobalt Strike and WHOIS registration details of the C2 servers, which allowed us to discover concealed C2 domains and IP addresses associated with further hidden attack infrastructure.

After further detailed analysis of the unknown malware, we concluded by reverse engineering that this malware is a new form of malware that shares code similarities and data structures with Deed RAT, a variant of ShadowPad. Therefore, we strongly believe that this is a new variant of Deed RAT.

The purpose of this presentation is to share a comprehensive analysis of Cobalt Strike Beacon and an analysis of BLOODALCHEMY characteristics not covered in the Elastic Security blog, based on a survey of APT activity in 2023.

In addition, we will describe the methodology for identifying Deed RAT variants, thereby revealing the associated attack infrastructure, with the aim of tracking the activities of these threat actors, which can be applied to botnet actors as well as APTs.