Chinese Hacker Group Earth Longzhi Resurfaces with Advanced Malware Tactics

May 03, 2023Ravie LakshmananCyber Espionage / Malware

A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity.

Trend Micro attributed the intrusion set to a cyber espionage group it tracks under the name Earth Longzhi, which is a subgroup within APT41 (aka HOODOO or Winnti) and shares overlaps with various other clusters known as Earth Baku, SparklingGoblin, and GroupCC.

Earth Longzhi was first documented by the cybersecurity firm in November 2022, detailing its attacks against various organizations located in East and Southeast Asia as well as Ukraine.

Attack chains mounted by the threat actor leverage vulnerable public-facing applications as entry points to deploy the BEHINDER web shell, and then leverage that access to drop additional payloads, including a new variant of a Cobalt Strike loader called CroxLoader.

“This recent campaign […] abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard.sys, to disable security products installed on the hosts via a bring your own vulnerable driver (BYOVD) attack,” Trend Micro said.

It’s by no means the first time Earth Longzhi has leveraged the BYOVD technique, what with previous campaigns utilizing the vulnerable RTCore64.sys driver to restrict the execution of security products.

The malware, dubbed SPHijacker, also employs a second method referred to as “stack rumbling” to achieve the same objective, which entails making Windows Registry changes to interrupt the process execution flow and deliberately cause the targeted applications to crash upon launch.

“This technique is a type of [denial-of-service] attack that abuses undocumented MinimumStackCommitInBytes values in the [Image File Execution Options] registry key,” Trend Micro explained.

“The value of MinimumStackCommitInBytes associated with a specific process in the IFEO registry key will be used to define the minimum size of stack to commit in initializing the main thread. If the stack size is too large, it will trigger a stack overflow exception and terminate the current process.”

The twin approaches are far from the only methods that can be used to impair security products. Deep Instinct, last month, detailed a new code injection technique christened Dirty Vanity that exploits the remote forking mechanism in Windows to blindside endpoint detection systems.

What’s more, the driver payload is installed as a kernel-level service using Microsoft Remote Procedure Call (RPC) as opposed to Windows APIs to evade detection.

Also observed in the attacks is the use of a DLL-based dropper named Roxwrapper to deliver another Cobalt Strike loader labeled BigpipeLoader as well as a privilege escalation tool (dwm.exe) that abuses the Windows Task Scheduler to launch a given payload with SYSTEM privileges.

The specified payload, dllhost.exe, is a downloader that’s capable of retrieving next-stage malware from an actor-controlled server.

It’s worth pointing out here that dwm.exe is based on an open source proof-of-concept (PoC) available on GitHub, suggesting that the threat actor is drawing inspiration from existing programs to hone its malware arsenal.

Trend Micro further said it identified decoy documents written in Vietnamese and Indonesian, indicating potential attempts to target users in the two countries in the future.

“Earth Longzhi remains active and continues to improve its tactics, techniques, and procedures (TTPs),” security researchers Ted Lee and Hara Hiroaki noted. “Organizations should stay vigilant against the continuous development of new stealthy schemes by cybercriminals.”