It has been observed that the Chinese hacker group, Earth Longzhi, has resurfaced with the utilization of advanced malware tactics.

After a period of inactivity spanning more than six months, a Chinese state-sponsored hacking group has reemerged with a new campaign targeting government, healthcare, technology, and manufacturing entities situated in Taiwan, Thailand, the Philippines, and Fiji. Trend Micro, a cybersecurity firm, has attributed the intrusion set to a cyber espionage group it tracks as Earth Longzhi, which is a subgroup of APT41 (also known as HOODOO or Winnti) and shares similarities with Earth Baku, SparklingGoblin, and GroupCC. Earth Longzhi was first documented by Trend Micro in November 2022, with attacks being launched against various organizations located in East and Southeast Asia as well as Ukraine. The attack chains employed by the threat actor involve the exploitation of vulnerable public-facing applications as entry points to deploy the BEHINDER web shell, with the subsequent deployment of a new variant of a Cobalt Strike loader called CroxLoader.

Trend Micro recently reported on a campaign that abuses a Windows Defender executable to perform DLL sideloading, while also exploiting a vulnerable driver, zamguard.sys, to disable security products installed on the hosts via a bring your own vulnerable driver (BYOVD) attack. It has been noted that this is not the first instance of Earth Longzhi utilizing the BYOVD technique, as previous campaigns have employed the vulnerable RTCore64.sys driver to restrict the execution of security products. The malware, dubbed SPHijacker, also employs a second method referred to as “stack rumbling” to achieve the same objective, which involves making Windows Registry changes to interrupt the process execution flow and deliberately cause the targeted applications to crash upon launch. This technique is a type of denial-of-service attack that abuses undocumented MinimumStackCommitInBytes values in the Image File Execution Options registry key.

It has been determined that the value of MinimumStackCommitInBytes associated with a specific process in the IFEO registry key will be employed to define the minimum size of stack to commit when initializing the main thread. Should the stack size be too large, it will result in a stack overflow exception and the termination of the current process.

In addition to these two approaches, there are other methods that can be utilized to compromise security products. For example, Deep Instinct recently revealed a new code injection technique, known as Dirty Vanity, which exploits the remote forking mechanism in Windows to bypass endpoint detection systems. Moreover, the driver payload is installed as a kernel-level service using Microsoft Remote Procedure Call (RPC) as opposed to Windows APIs in order to avoid detection.

Our analysis of the attacks revealed the use of a DLL-based dropper named Roxwrapper to deliver another Cobalt Strike loader labeled BigpipeLoader, as well as a privilege escalation tool (dwm.exe) that abuses the Windows Task Scheduler to launch a given payload with SYSTEM privileges. The payload, dllhost.exe, is a downloader that is capable of retrieving next-stage malware from an actor-controlled server. It is noteworthy that dwm.exe is based on an open source proof-of-concept (PoC) available on GitHub, suggesting that the threat actor is drawing inspiration from existing programs to refine its malware arsenal. Moreover, Trend Micro identified decoy documents written in Vietnamese and Indonesian, indicating potential attempts to target users in the two countries in the future. Ted Lee and Hara Hiroaki commented that “Earth Longzhi remains active and continues to improve its tactics, techniques, and procedures (TTPs). Organizations should stay vigilant against the continuous development of new stealthy schemes by cybercriminals.”

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir