After more than six months of inactivity, a Chinese government-backed hacking group has resurfaced with new campaigns targeting government, healthcare, technology, and manufacturing companies based in Taiwan, Thailand, the Philippines, and Fiji. bottom.
Trend Micro has attributed the series of intrusions to a cyber espionage group it tracks. earth longyiis a subgroup within APT41 (aka HOODOO or Winnti) that overlaps with various other clusters known as Earth Baku, SparklingGoblin, and GroupCC.
Earth Longzhi was first documented by a cybersecurity firm in November 2022, detailing attacks against various organizations located in East Asia, Southeast Asia, and Ukraine.
The attack chain launched by the threat actor utilizes a publicly available vulnerable application as an entry point to deploy the BEHINDER web shell and uses its access to include a new variant of the Cobalt Strike loader called CroxLoader. Drop additional payload.
“This recent campaign […] It exploits the Windows Defender executable to perform DLL sideloading and at the same time exploits the vulnerable driver zamguard.sys to expose security products installed on the host via a Bring Your Own Vulnerable Driver (BYOVD) attack. We will disable it,” said Trend Micro.
This is not the first time Earth Longzhi has used BYOVD techniques. Previous campaigns used his vulnerable RTCore64.sys driver to limit the execution of security products.
Called SPHijacker, the malware also employs a second method called “Stack Rambling” to achieve the same goal. This method modifies the Windows registry to interrupt the execution flow of the process and deliberately crash the target application on startup.
“This technology is a kind of [denial-of-service] Attacks exploiting the undocumented MinimumStackCommitInBytes value [Image File Execution Options] registry key,” explains Trend Micro.
“The MinimumStackCommitInBytes value associated with a particular process in the IFEO registry key is used to define the minimum size of the stack to commit at initialization of the main thread. If the stack size is too large, a stack overflow exception will occur. Triggered and terminates the current process.”
The two approaches are not the only methods that can be used to compromise security products. Last month, Deep Instinct detailed a new code injection technique dubbed Dirty Vanity that exploits Windows’ remote forking mechanism to blind endpoint detection systems.
Additionally, the driver payload is installed as a kernel-level service using Microsoft Remote Procedure Calls (RPC) instead of Windows APIs to avoid detection.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.
Save my seat!
The attack also uses a DLL-based dropper named Roxwrapper, another Cobalt Strike loader labeled BigpipeLoader, and a privilege escalation that exploits the Windows Task Scheduler to launch certain payloads with SYSTEM privileges. It has also been observed delivering a tool (dwm.exe). .
The specified payload, dllhost.exe, is a downloader that can retrieve the next stage of malware from an attacker-controlled server.
It’s worth pointing out here that dwm.exe is based on an open source proof of concept (PoC) available on GitHub. This suggests that attackers are drawing inspiration from existing programs to refine their malware arsenal.
Trend Micro also said it had identified decoy documents written in Vietnamese and Indonesian, suggesting future attempts to target users in both countries.
“Earth Longzhi remains active and continues to improve its tactics, techniques and procedures (TTPs),” said security researchers Ted Lee and Hara Hiroaki. “Organizations should remain vigilant against the continued development of new stealth schemes by cybercriminals.”
