A state-sponsored Chinese hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology and manufacturing entities based in Taiwan, Thailand, the Philippines and Fiji after more than six months of inactivity.
Trend Micro attributed the set of intrusions to a cyber espionage group that tracks under the name Longzhi Landwhich is a subgroup within APT41 (also known as HOODOO or Winnti) and shares overlaps with other groups known as Earth Baku, SparklingGoblin and GroupCC.
Earth Longzhi was first documented by the cybersecurity firm in November 2022, detailing its attacks against various organizations located in East and Southeast Asia, as well as Ukraine.
Attack chains mounted by the threat actor leverage vulnerable public applications as entry points to deploy the BEHINDER web shell and then leverage this access to drop additional payloads, including a new variant of a Cobalt Strike loader called CroxLoader.
“This recent campaign […] abuses a Windows Defender executable to perform DLL sideloading while exploiting a vulnerable driver, zamguard.sys, to disable security products installed on hosts via a bring-your-own-vulnerable-driver attack ( BYOVD),” Trend Micro said.
This is by no means the first time Earth Longzhi has used the BYOVD technique, with previous campaigns using the vulnerable driver RTCore64.sys to restrict the execution of security products.
The malware, called SPHijacker, also uses a second method called “stack rumbling” to achieve the same goal, which involves making changes to the Windows Registry to interrupt the flow of process execution and cause targeted applications to deliberately crash when starting
“This technique is a type of [denial-of-service] attack that abuses undocumented MinimumStackCommitInBytes values in the file [Image File Execution Options] registry key,” Trend Micro explained.
“The value of MinimumStackCommitInBytes associated with a specific process in the IFEO registry key will be used to define the minimum stack size to commit on the initialization of the main thread. If the stack size is too large, it will trigger an exception of stack overflow and will terminate. the current process.”
Twin approaches are far from the only methods that can be used to degrade security products. Deep Instinct last month detailed a new code injection technique dubbed Dirty Vanity that exploits Windows’ remote fork mechanism to blindly detect endpoints.
Additionally, the driver payload is installed as a kernel-level service using Microsoft Remote Procedure Call (RPC) instead of Windows APIs to evade detection.
Also seen in the attacks is the use of a DLL-based dropper called Roxwrapper to deliver another Cobalt Strike loader tagged BigpipeLoader, as well as a privilege escalation tool (dwm.exe) that abuses the Windows task scheduler to launch a given payload with SYSTEM privileges. .
The specified payload, dllhost.exe, is an offloader that is capable of retrieving next-stage malware from an actor-controlled server.
It’s worth noting here that dwm.exe is based on an open-source proof-of-concept (PoC) available on GitHub, suggesting that the threat actor is taking inspiration from existing programs to refine its arsenal of malware.
Trend Micro also said it identified documents written in Vietnamese and Indonesian, indicating possible attempts to target users from both countries in the future.
“Earth Longzhi remains active and continues to improve its tactics, techniques and procedures (TTPs),” noted security researchers Ted Lee and Hara Hiroaki. “Organizations should remain vigilant against the continued development of new stealth schemes by cybercriminals.”
A hacker group which has been dormant since 2018 has resurfaced with more advanced techniques of playing havoc with users’ systems. The Chinese hacker group known as Earth Longzhi is reported to be targeting American companies with its advanced malware tactics.
The group, which focuses on espionage and theft, has been active since 2013. It has managed to remain undetected in cyberspace for many years. Emulating malware tactics used by other great hacker groups, Earth Longzhi has managed to bring new, more advanced cyber threats to the forefront.
The group’s malware, which has been named after one of Japan’s legendary networks, has been found to contain sophisticated code that allows it to ex-filtrate data from infected computers, among other activities. According to researchers, Earth Longzhi’s malware is able to target not only computers but also mobile devices, allowing it to manipulate services and obtain access to valuable personal data.
At Ikaroa, a full stack tech company, we have seen firsthand the importance of having an understanding of the most current cyber threats, the proper systems in place, and the expertise to manage and counter those threats. For that reason, we have taken all the necessary steps to protect our clients and ourselves, including training our security personnel, developing protocols specific to the threat landscape, and working with industry experts on cyber security and compliance.
Given the constantly evolving nature of cyber threats, it is also essential to ensure that anti-malware software is updated with the latest release. Additionally, as Earth Longzhi’s malware is able to target mobile devices, it is important to be wary of any suspicious applications that might be present, as well as to take extra care when browsing online while on devices like smartphones or tablets.
At Ikaroa, we believe in keeping one step ahead of cyber threats, and this starts with being aware of the current threat landscape. As such, we are committed to continuing our mission of providing our users with up-to-date and comprehensive cyber security solutions.