A beforehand unknown Chinese language APT (Superior Persistent Menace) hacking group, dubbed “Earth Longzhi”, is focusing on organizations in East Asia, Southeast Asia and Ukraine.
Menace actors have been energetic since at the very least 2020, utilizing personalized variations of Cobalt Strike loaders to implant persistent backdoors into sufferer techniques.
In response to a brand new report from Development Micro, Earth Longzhi has TTPs (methods, techniques and procedures) much like “Earth Baku”, each of that are thought of subgroups of the state-backed hacking group and tracked as ‘APT41.
The Historic Earth Longzhi Marketing campaign
The Development Micro report illustrates two campaigns performed by Earth Longzhi, the primary of which befell between Could 2020 and February 2021.
In the meantime, hackers attacked a number of infrastructure firms in Taiwan, a financial institution in China, and a authorities group in Taiwan.
On this marketing campaign, the hackers used the customized Cobalt Strike “Symatic” journal, which has a complicated anti-detection system together with the next options:
- Take away API hooks from ‘ntdll.dll’, get the uncooked contents of the file, and exchange the in-memory ntdll picture with a duplicate not monitored by safety instruments.
- Create a brand new course of injection course of and conceal the mum or dad course of to obfuscate the chain.
- Inject a decrypted payload into the newly created course of.
For its predominant operations, Earth Longzhi used an all-in-one hacking instrument that mixed numerous publicly accessible instruments right into a single package deal.
This instrument can open Socks5 proxy, carry out password scans on MS SQL servers, disable Home windows file safety, change file timestamps, scan ports, launch new processes, carry out RID spoofing, enumerate drives and execute instructions with “SQLExecDirect”.
2022 marketing campaign
The second marketing campaign noticed by Development Micro lasted from August 2021 to June 2022, focusing on insurance coverage and concrete growth firms within the Philippines and aviation firms in Thailand and Taiwan.
In these more moderen assaults, Earth Longzhi deployed a brand new set of customized Cobalt Strike loaders that used completely different decryption algorithms and extra options for efficiency (multi-threading) and effectivity (decoy paperwork).
Injecting the Cobalt Strike payload right into a newly created course of operating in reminiscence stays the identical as in Symatic, by no means touching disk to keep away from the chance of being detected.
A variant of BigpipeLoader follows a really completely different payload loading chain, utilizing sideloading DLLs (WTSAPI32.dll) on a reliable utility (wusa.exe) to run the loader (chrome.inf) and inject Cobalt Strike into the reminiscence.
As soon as Cobalt Strike runs on the goal, hackers use a personalized model of Mimikatz to steal credentials and use the “PrintNighmare” and “PrintSpoofer” exploits for privilege elevation.
To disable safety merchandise on the host, Earth Longzhi makes use of a instrument referred to as “ProcBurner”, which abuses a weak driver (RTCore64.sys) to change required kernel objects.
“ProcBurner is designed to terminate particular operating processes,” Development Micro explains within the report.
“In easy phrases, it tries to change the safety of the goal course of by forcibly patching the entry permission within the kernel area utilizing the weak RTCore64.sys.”
Notably, the identical MSI Afterburner driver can be utilized by BlackByte ransomware in BYOVD (Carry Your Personal Weak Drive) assaults that abuse it to bypass over a thousand safety protections.
ProcBurner detects the working system first, because the kernel patching course of modifications relying on the model. The instrument helps the next variations:
- Home windows 7 SP1
- Home windows Server 2008 R2 SP1
- Home windows 8.1
- Home windows Server 2012 R2
- Home windows 10 1607, 1809, 20H2, 21H1
- Home windows Server 2018 1809
- Home windows 11 21H2, 22449, 22523, 22557
A second safety denial instrument, “AVBurner”, additionally abuses the weak driver to unregister safety merchandise by eradicating their callback routine from the kernel.
Commodity + Customized
APT teams are more and more counting on commodity malware and assault frameworks like Cobalt Strike to cover their path and make attribution troublesome.
Nonetheless, refined hackers nonetheless develop and use customized instruments for stealth payload loading and to bypass safety software program.
By following these techniques, Earth Longzhi has managed to stay undetected for at the very least 2.5 years now, and following this publicity by Development Micro, they’re more likely to transfer on to new techniques.
Supply : https://information.google.com/__i/rss/rd/articles/CBMia2h0dHBzOi8vd3d3LmJsZWVwaW5nY29tcHV0ZXIuY29tL25ld3Mvc2VjdXJpdHkvbmV3LWhhY2tpbmctZ3JvdXAtdXNlcy1jdXN0b20tc3ltYXRpYy1jb2JhbHQtc3RyaWtlLWxvYWRlcnMv0gFvaHR0cHM6Ly93d3cuYmxlZXBpbmdjb21wdXRlci5jb20vbmV3cy9zZWN1cml0eS9uZXctaGFja2luZy1ncm91cC11c2VzLWN1c3RvbS1zeW1hdGljLWNvYmFsdC1zdHJpa2UtbG9hZGVycy9hbXAv?oc=5
