Friday, May 24, 2024

Chinese APT Hackers Using a Custom Versions of Cobalt Strike to Deploy Backdoor Malware

Security analysts at Trend Micro have recently tracked down ‘Earth Longzhi’, a previously unknown Chinese APT hacking group that is actively targeting several organizations in countries such as:-

  • East Asia
  • Southeast Asia
  • Ukraine

With the help of custom versions of Cobalt Strike loaders, the threat actors have been successfully planting persistent backdoors on the systems of their victims since at least 2020.

Link Earth Baku

There are several similarities between the tactics used by Earth Longzhi and Earth Baku, both of which are included in the APT41 hacking group, which is part of the Chinese government.

Based on the factors listed below, researchers believes that these threat actors may be part of APT41 since Earth Longzhi is a subgroup of APT41.

In Earth Longzhi’s campaign list of activities, there are two different campaigns that have been conducted by the group, and among the two campaigns, the first occurred between May 2020 and February 2021.

The following were some of the attacks that took place during that time period:-

  • Multiple infrastructure companies in Taiwan 
  • A government organization in Taiwan
  • A bank in China

Hacker Used Symatic Loader

This campaign was carried out with the help of a custom version of the Cobalt Strike loader known as Symatic which was specially designed for hackers to use. 

While this custom loader offers several stealthy features, and here below we have mentioned them:-

  • A method for restoring the functionality of the in-memory hooks of the Windows kernel utility ntdll.dll in the user mode by eliminating the hooks.
  • Making use of the API UpdateProcThreadAttribute to masquerade the parent process.
  • A payload that is decrypted is injected into an internal process built into the system (dllhost.exe or rundll32.exe).

Earth Longzhi used a hacking tool package that consisted of all the tools needed to conduct its primary operations. A combination of tools that are publicly available are included in this package as they have been compiled by the operators of Earth Longzhi.

It allows them to use a single executable to execute multiple operations at once simply because of the compressed nature of this tool.

Custom Loaders

A number of custom loaders of Cobalt Strike have been discovered, which also included samples uploaded to VirusTotal that were similar in nature. Here they are mentioned below:-

  • CroxLoader
  • BigpipeLoader
  • MultiPipeLoader
  • OutLoader

The following two tools are used for disabling security products:-

  • ProcBurner
  • AVBurner

Using both tools, the kernel object specified in the kernel definition is modified to comprise the value specified by the vulnerable driver (RTCore64.sys). While in this case, the ProcBurner works as a terminator since it is primarily intended to eliminate specific running processes.

ProcBurner supports the following Windows versions:-

  • Windows 7 SP1
  • Windows Server 2008 R2 SP1
  • Windows 8.1
  • Windows Server 2012 R2
  • Windows 10 1607
  • Windows 10 1809
  • Windows Server 2018 1809
  • Windows 10 20H2
  • Windows 10 21H1
  • Windows 11 21H2
  • Windows 11 22449
  • Windows 11 22523
  • Windows 11 22557

By removing the kernel callback routine for Security Products, AVBurner exploits the vulnerability in the vulnerable driver in order to unregister them.

There has been increasing use of commodity malware and attack frameworks such as Cobalt Strike by APT groups to conceal their tracks and take the spotlight away from them.

But it is still common for sophisticated hackers to use custom tools to stealth load payloads as well as bypass security tools. And Earth Longzhi is one of the clear examples of this since it is part of an APT group.

Managed DDoS Attack Protection for Applications – Download Free Guide


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles