Chinese APT Hackers Using a Custom Versions of Cobalt Strike to Deploy Backdoor Malware

Security analysts at Trend Micro have recently tracked down ‘Earth Longzhi’, a previously unknown Chinese APT hacking group that is actively targeting several organizations in countries such as:-

• East Asia
• Southeast Asia
• Ukraine

With the help of custom versions of Cobalt Strike loaders, the threat actors have been successfully planting persistent backdoors on the systems of their victims since at least 2020.

Link Earth Baku

There are several similarities between the tactics used by Earth Longzhi and Earth Baku, both of which are included in the APT41 hacking group, which is part of the Chinese government.

Based on the factors listed below, researchers believes that these threat actors may be part of APT41 since Earth Longzhi is a subgroup of APT41.

In Earth Longzhi’s campaign list of activities, there are two different campaigns that have been conducted by the group, and among the two campaigns, the first occurred between May 2020 and February 2021.

The following were some of the attacks that took place during that time period:-

• Multiple infrastructure companies in Taiwan
• A government organization in Taiwan
• A bank in China

Hacker Used Symatic Loader

This campaign was carried out with the help of a custom version of the Cobalt Strike loader known as Symatic which was specially designed for hackers to use. 

While this custom loader offers several stealthy features, and here below we have mentioned them:-

• A method for restoring the functionality of the in-memory hooks of the Windows kernel utility ntdll.dll in the user mode by eliminating the hooks.
• Making use of the API UpdateProcThreadAttribute to masquerade the parent process.
• A payload that is decrypted is injected into an internal process built into the system (dllhost.exe or rundll32.exe).

Earth Longzhi used a hacking tool package that consisted of all the tools needed to conduct its primary operations. A combination of tools that are publicly available are included in this package as they have been compiled by the operators of Earth Longzhi.

It allows them to use a single executable to execute multiple operations at once simply because of the compressed nature of this tool.

Custom Loaders

A number of custom loaders of Cobalt Strike have been discovered, which also included samples uploaded to VirusTotal that were similar in nature. Here they are mentioned below:-

• CroxLoader
• BigpipeLoader
• MultiPipeLoader
• OutLoader

The following two tools are used for disabling security products:-

• ProcBurner
• AVBurner

Using both tools, the kernel object specified in the kernel definition is modified to comprise the value specified by the vulnerable driver (RTCore64.sys). While in this case, the ProcBurner works as a terminator since it is primarily intended to eliminate specific running processes.

ProcBurner supports the following Windows versions:-

• Windows 7 SP1
• Windows Server 2008 R2 SP1
• Windows 8.1
• Windows Server 2012 R2
• Windows 10 1607
• Windows 10 1809
• Windows Server 2018 1809
• Windows 10 20H2
• Windows 10 21H1
• Windows 11 21H2
• Windows 11 22449
• Windows 11 22523
• Windows 11 22557

By removing the kernel callback routine for Security Products, AVBurner exploits the vulnerability in the vulnerable driver in order to unregister them.

There has been increasing use of commodity malware and attack frameworks such as Cobalt Strike by APT groups to conceal their tracks and take the spotlight away from them.

But it is still common for sophisticated hackers to use custom tools to stealth load payloads as well as bypass security tools. And Earth Longzhi is one of the clear examples of this since it is part of an APT group.

Managed DDoS Attack Protection for Applications – Download Free Guide