Security analysts at Trend Micro have recently tracked down ‘Earth Longzhi’, a previously unknown Chinese APT hacking group that is actively targeting several organizations in countries such as:-
With the help of custom versions of Cobalt Strike loaders, the threat actors have been successfully planting persistent backdoors on the systems of their victims since at least 2020.
There are several similarities between the tactics used by Earth Longzhi and Earth Baku, both of which are included in the APT41 hacking group, which is part of the Chinese government.
Based on the factors listed below, researchers believes that these threat actors may be part of APT41 since Earth Longzhi is a subgroup of APT41.
In Earth Longzhi’s campaign list of activities, there are two different campaigns that have been conducted by the group, and among the two campaigns, the first occurred between May 2020 and February 2021.
The following were some of the attacks that took place during that time period:-
This campaign was carried out with the help of a custom version of the Cobalt Strike loader known as Symatic which was specially designed for hackers to use.
While this custom loader offers several stealthy features, and here below we have mentioned them:-
Earth Longzhi used a hacking tool package that consisted of all the tools needed to conduct its primary operations. A combination of tools that are publicly available are included in this package as they have been compiled by the operators of Earth Longzhi.
It allows them to use a single executable to execute multiple operations at once simply because of the compressed nature of this tool.
A number of custom loaders of Cobalt Strike have been discovered, which also included samples uploaded to VirusTotal that were similar in nature. Here they are mentioned below:-
The following two tools are used for disabling security products:-
Using both tools, the kernel object specified in the kernel definition is modified to comprise the value specified by the vulnerable driver (RTCore64.sys). While in this case, the ProcBurner works as a terminator since it is primarily intended to eliminate specific running processes.
ProcBurner supports the following Windows versions:-
By removing the kernel callback routine for Security Products, AVBurner exploits the vulnerability in the vulnerable driver in order to unregister them.
There has been increasing use of commodity malware and attack frameworks such as Cobalt Strike by APT groups to conceal their tracks and take the spotlight away from them.
But it is still common for sophisticated hackers to use custom tools to stealth load payloads as well as bypass security tools. And Earth Longzhi is one of the clear examples of this since it is part of an APT group.
Managed DDoS Attack Protection for Applications – Download Free Guide
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…