A Chinese government-sponsored hacking group has returned with a new campaign aimed at government entities, healthcare, technology firms, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after a hiatus of over six months.
Trend Micro analysis
Trend Micro has attributed the intrusion set to a cyber espionage team it monitors under Earth Longzhi. The group is a subunit of APT41 and shares similarities with several other clusters, including Earth Baku, SparklingGoblin, and GroupCC.
To launch their attacks, the threat actors exploit vulnerable public-facing applications as entry points to implant the BEHINDER web shell. They then use this access to deliver additional payloads, including a new iteration of a Cobalt Strike loader known as CroxLoader.
According to Trendmicro, this current campaign
- Abuses a Windows Defender executable to perform DLL sideloading while exploiting a vulnerable driver,
- zamguard64.sys, to disable security products installed on the hosts via a bring-your-own-vulnerable-driver (BYOD) attack.
- uses a new way to disable security products, a technique called “stack rumbling” via Image File Execution Options (IFEO), which is a recent denial-of-service (DoS) technique.
New Croxloader variant
In its latest campaign,
- Earth Longzhi installed Windows Defender binaries as a system service and launched a
- a new version of Croxloader, disguised as MpClient.dll.
The Croxloader variant then read the payload, named MpClient.bin, and decrypted its contents. The new variant is almost identical to its predecessors, except for using a distinct decryption algorithm.
Source: Trend Micro depicting Earth Longzhi execution chain
How did we know that the target was Asian countries?
The embedded decoy documents found were in Indonesian Vietnamese, which infers the next target of the threat actors.
Source: Trend Micro
When it first started
In November 2022, the cybersecurity firm first documented Earth Longzhi, detailing its assaults on various organizations in East and Southeast Asia and Ukraine.
“We classify Earth Longzhi as an advanced persistent threat (APT) group that concentrates on Asia-Pacific. Our examination of two separate campaigns established that the group aims at sectors related to the national security and economies of countries in the region. Their actions in these campaigns reveal that they possess expertise in red-team operations.”
“Earth Longzhi employs social engineering tactics to distribute their malware and employs customized hacking tools to bypass security products and exfiltrate sensitive data from compromised systems. In general, it appears that Earth Longzhi is playing a real-world version of Hack The Box, an online platform for penetration testing, from a security perspective.”
Various threat-hunting findings
Some of the future forecasts can be made based on the above information. The decoy documents state that future attacks could be made in South Asian countries, specifically Vietnam and Indonesia.
The group might use Task Scheduler as a new technique for future attacks. The group seems inclined to use open-source projects to incorporate their tactics. The next target would be:
- Credential access
- Execution
- Defense evasion
- Persistence
- Privilege escalation
Drawing the curtains…
Using red team tactics, social engineering, and customized hacking tools for every cyber attack is challenging to pay attention to. Their exclusive trait is bypassing security measures, stealing sensitive information, and compromising systems.
These digital terrorists are playing high-stake games in the real world. It is up to us to become victims or stand firm against them. Keep your systems strong against these stealthy tactics!
PureVPN
May 4, 2023
1 year ago
